Imported Debian patch 2:1.11.4-0ubuntu10.8
authorRicardo Salveti de Araujo <ricardo.salveti@linaro.org>
Fri, 20 Jul 2012 01:57:12 +0000 (22:57 -0300)
committerXavier Boudet <x-boudet@ti.com>
Thu, 30 Aug 2012 12:51:45 +0000 (14:51 +0200)
debian/changelog
debian/patches/229_randr_first_check_pScrPriv_before_using_the_pointer.patch [new file with mode: 0644]
debian/patches/230_randr_catch_two_more_potential_unset_rrScrPriv_uses.patch [new file with mode: 0644]
debian/patches/series

index 5842c1359d14f7f30b2f9a44073426a5e3c3c26d..4e066c9a57140f21571a8b1de1f12aff7f37ab65 100644 (file)
@@ -1,3 +1,12 @@
+xorg-server (2:1.11.4-0ubuntu10.8) precise-proposed; urgency=low
+
+  * Add upstream patches to avoid seg fault in case the user is running with
+    multiple screens and xrandr is only enabled at one (LP: #1015292):
+    - 229_randr_first_check_pScrPriv_before_using_the_pointer.patch
+    - 230_randr_catch_two_more_potential_unset_rrScrPriv_uses.patch
+
+ -- Ricardo Salveti de Araujo <ricardo.salveti@linaro.org>  Thu, 19 Jul 2012 22:57:12 -0300
+
 xorg-server (2:1.11.4-0ubuntu10.7) precise-proposed; urgency=low
 
   * Re-enable 516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch
diff --git a/debian/patches/229_randr_first_check_pScrPriv_before_using_the_pointer.patch b/debian/patches/229_randr_first_check_pScrPriv_before_using_the_pointer.patch
new file mode 100644 (file)
index 0000000..8c9cf71
--- /dev/null
@@ -0,0 +1,30 @@
+From 32603f57ca03b6390b109960f8bb5ea53ac95ecb Mon Sep 17 00:00:00 2001
+From: Ricardo Salveti de Araujo <ricardo.salveti@linaro.org>
+Date: Thu, 21 Jun 2012 00:55:53 -0300
+Subject: [PATCH] randr: first check pScrPriv before using the pointer at
+ RRFirstOutput
+
+Fix a seg fault in case pScrPriv is NULL at ProcRRGetScreenInfo,
+which later calls RRFirstOutput.
+
+Signed-off-by: Ricardo Salveti de Araujo <ricardo.salveti@linaro.org>
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ randr/randr.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: xorg-server-1.11.4/randr/randr.c
+===================================================================
+--- xorg-server-1.11.4.orig/randr/randr.c      2012-07-17 18:46:06.000000000 -0300
++++ xorg-server-1.11.4/randr/randr.c   2012-07-17 18:48:35.169824448 -0300
+@@ -454,6 +454,9 @@
+     rrScrPriv(pScreen);
+     RROutputPtr                   output;
+     int       i, j;
++
++    if (!pScrPriv)
++        return NULL;
+     
+     if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc)
+       return pScrPriv->primaryOutput;
diff --git a/debian/patches/230_randr_catch_two_more_potential_unset_rrScrPriv_uses.patch b/debian/patches/230_randr_catch_two_more_potential_unset_rrScrPriv_uses.patch
new file mode 100644 (file)
index 0000000..e37d073
--- /dev/null
@@ -0,0 +1,52 @@
+From 855003c333a0ead1db912695bc9705ef2b3144b4 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Thu, 21 Jun 2012 18:45:18 -0700
+Subject: [PATCH] randr: Catch two more potential unset rrScrPriv uses
+
+Ricardo Salveti <ricardo.salveti@linaro.org> found one place where the
+randr code could use the randr screen private data without checking
+for null first. This happens when the X server is running with
+multiple screens, some of which are randr enabled and some of which
+are not. Applications making protocol requests to the non-randr
+screens can cause segfaults where the server touches the unset private
+structure.
+
+I audited the code and found two more possible problem spots; the
+trick to auditing for this issue was to look for functions not taking
+a RandR data structure and where there was no null screen private
+check above them in the call graph.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ randr/rroutput.c |    3 ++-
+ randr/rrscreen.c |    3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/randr/rroutput.c b/randr/rroutput.c
+index 091e06b..fbd0e32 100644
+--- a/randr/rroutput.c
++++ b/randr/rroutput.c
+@@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client)
+     }
+     pScrPriv = rrGetScrPriv(pWin->drawable.pScreen);
+-    RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
++    if (pScrPriv)
++        RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
+     return Success;
+ }
+diff --git a/randr/rrscreen.c b/randr/rrscreen.c
+index f570afa..55110e0 100644
+--- a/randr/rrscreen.c
++++ b/randr/rrscreen.c
+@@ -261,6 +261,9 @@
+     pScreen = pWin->drawable.pScreen;
+     pScrPriv = rrGetScrPriv(pScreen);
++    if (!pScrPriv)
++        return BadMatch;
++
+     if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width)
+     {
+       client->errorValue = stuff->width;
index 0ce1ed64837213ecf01d34ef2277392ef5fbcc5c..0279297a352a21314c77e7b88dcc9a13b518a7ff 100644 (file)
 226_fall_back_to_autoconfiguration.patch
 227_null_ptr_midispcur.patch
 228_log-format-fix.patch
+229_randr_first_check_pScrPriv_before_using_the_pointer.patch
+230_randr_catch_two_more_potential_unset_rrScrPriv_uses.patch
 
 ## Input Stack Patches (from xserver 1.12) ##
 500_pointer_barrier_thresholds.diff
 505_query_pointer_touchscreen.patch
 506_touchscreen_pointer_emulation_checks.patch
 507_touchscreen_fixes.patch
-
 # Patch 508 attempted to fix LP: #968845, but caused regression
 # crash bug #1009629.  Patches 510-515 attempted to fix that
 # regression, but this led to the severe crash bug #1021517.
@@ -50,3 +51,4 @@
 #514-Xi-drop-forced-unpairing-when-changing-the-hierarchy.patch
 #515-dix-disable-all-devices-before-shutdown.patch
 516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch
+