| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
| |
This can result in reading an uninitialized value in draw_image_boxes() in cairo-xlib-render-compositor.c.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
X11 use uint16_t for the width/height of things. Anything too large will
be truncated when sending the request to the X11 server. This commit
adds a size check to a function that did not check things and then later
caused a segmentation fault.
Not adding a test case because the test case from the below bug report
allocates 3,5 GiB of memory, which I find too much for a test.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/414
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
|
|
|
| |
_cairo_malloc(0) always returns NULL, but has not been used
consistently. This patch replaces many calls to malloc() with
_cairo_malloc().
Fixes: fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NextRequest is a macro that doesn't mix well with xcb, since
dpy->request is not updated. Instead use XNextRequest() that was fixed
to do the right thing with xcb in libX11 commit:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=7f8f9a36ef901f31279c385caf960a22daeb33fe
This may solve application X errors when a shmdt() is called by cairo
before the Attach request is processed.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
| |
On vector surfaces, use a minimum line width when calculating extents.
Bug 77298
|
|
|
|
| |
This reverts commit e7fc8f405beeeb1048f69fe22923170a137b805e.
|
|
|
|
|
|
| |
Following patch fixes a memory leak in xlib surface.
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
|
| |
|
|
|
|
|
|
|
| |
This macro wants the array type as its argument and calls sizeof() on it
internally.
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
| |
Everytime I read the predicate wrong, but hopefully, this time I have it
right!
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
Rename the seqno tests into seqno_passed(), seqno_before() and
seqno_after() in order to clarify their semantics.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
The scratch image buffers are used for uploads to the xserver and so we
must be careful not to overwrite active SHM segments. Unfortunately we
told the core SHM allocator that we would sync before using the images,
which was a lie.
Reported-by: Michael Natterer <mitch@gimp.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
| |
...and treat is as an expected event for synchronisation.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
| |
_cairo_damage_destroy() does not like to be passed a NULL.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
| |
Both to make sure we do not leak the memory, but to also prevent
_cairo_xlib_surface_put_shm() from operating upon the finished shm
surface after the display is closed.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=58253
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
Be more strict with when we mark the pixmap as active so that we only
wait for the actual XCopyArea involving the pixmap to complete.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
Pass along the size the caller requests, not the size of the related
drawable.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
Hopefully this random choice is more meaningful than random junk.
Bugzilla; https://bugs.freedesktop.org/show_bug.cgi?id=58672
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
| |
Despite subclassing image surfaces, we never called down to the image
surface destructor, so we leaked a pixman_image_t every time.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=882976
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
|
|
|
| |
Reported-by: Benjamin Otte <otte@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
| |
In particular note that _cairo_xlib_surface_put_shm is indeed called and
is expected to be a no-op when shm is not available.
Reported-by: Thomas Klausner <wiz@NetBSD.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
| |
Before it was known as shmproto.h, the wire protocol definition was to
be found in shmstr.h, so if we don't have the current version of libXext
try to use the older includes.
Reported-by: Sebastian Haas <sehaas@gmail.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
| |
Not all version of libXext ship the same set of headers, so play safe
and check during configure that we have the headers we depend upon in
the code.
Reported-by: Sebastian Haas <sehaas@gmail.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
Martin Husemann reported that on his NetBSD machine the vendor was being
reported as "The Xorg Foundation", a non-conformist separatist split of
the Peoples' Liberation Army^W^W^W "The X.Org Foundation". Simply check
for both during initialisation.
Reported-by: Martin Husemann <martin@duskware.de>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
Uli Schlachter suggested it would be wiser to complement our blacklist
of known broken X/libXext with an explicit roundtrip to check for a
BadValue error return when we try to use XSendEvent.
Suggested-by: Uli Schlachter <psychon@znc.in>
Reported-by: Martin Husemann <martin@duskware.de>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whilst reading through other users of XShm, it became apparent that
IPC_RMID behaves differently across the platforms. Linux allows
processes to attach to an existing ShmSegment id after a IPC_RMID, but
for others the IPC_RMID takes immediate effect. On those platforms
without a "deferred" IPC_RMID, we then need to perform the XShmAttach
synchronously before perfomring the IPC_RMID.
Reported-by: Thomas Klausner <wiz@NetBSD.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
| |
Søren thought it was bit harsh to lay the blame solely on xorg for it
crashing due to an unexpected input value, and that we should mention
libXext was also partly to blame for incorrectly setting the SEND_EVENT
bit in the ShmCompletionEvent.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Søren Sandmann Pedersen pointed out that all versions of Xorg prior to
and including xorg-1.11.0 contained a bug that would cause them to crash
if they ever processed an event sent by XSendEvent. This was fixed in
commit 2d2dce558d24eeea0eb011ec9ebaa6c5c2273c39
Author: Sam Spilsbury <sam.spilsbury@canonical.com>
Date: Wed Sep 14 09:58:34 2011 +0800
Remove the SendEvent bit (0x80) before doing range checks on event type.
so make sure we do not use XSendEvent prior to that commit, which
fortuitously is quite easy as we only do so along the ShmPixmap path.
Reported-by: Søren Sandmann Pedersen <ssp@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
| |
Fixes xlib-surface-source
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
Needs a bit of extra work to create the extension event, but this leaves
the application with only a single spurious event to filter.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
Flushing the shm operation is a fairly rare event, as it is typically
only involved with mixed rendering on a similar image, and should be
triggering its own events. Therefore we should be able to reduce our
event emission to the critical points in order to limit the amount of
extra overhead we generate.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
| |
As the XCheckWindowEvent() has the unwanted side-effect of flushing the
output queue when there is no event available (libX11 seems to be
entirely anti-performant), we need to roll our own that only checks the
already available event queue.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
| |
Adding lots of requests without popping the replies causes xcb to
continually sort large lists of unprocessed data. Use an event instead
and regularly dequeue them.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As we access a global error variable, we need to hold a mutex against
simultaneous checking of multiple Displays. This should already be true
as we hold our display mutex to serialize initialisation, so just add an
assertion. As the client may mix use of cairo in one thread with X from
another, we need to hold the Display lock and serialise whilst
manipulating the low-level state of the Display.
Suggested-by: Uli Schlachter <psychon@znc.in>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
The upper layers check that the surface returned to userspace is
cleared; make it so.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
|
| |
Reduce the number of copies required for uploading large image data.
Ultimately we want the client to allocate the similar-image itself to
acheive zero copy, this is just an intermediate step for legacy clients.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
We want to avoid unnecessary readback and so only want to use the
ShmPixmap when uploading the complete surface.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
|
|
|
| |
If we optimise away the pending frees we must be careful to propagate
the implied sync.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
|
| |
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
|
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|