packages/xorg-x11-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!23 Upgrade to 1.20.10

Browse Source 
From: @jinzhimin369
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
This commit is contained in:
openeuler-ci-bot 2021-02-03 10:36:25 +08:00 committed by Gitee
commit 0f8e1f3ded
11 changed files with 96 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
0003-xwayland-Use-buffer_damage-instead-of-surface-damage.patch
View File

@ -1,7 +1,7 @@
From ce5eef7d33d7ba37cabee6b2bb020ed62abe6208 Mon Sep 17 00:00:00 2001
From 30859f64d1718d1476648dcddbb3d81c2f932828 Mon Sep 17 00:00:00 2001
From: Robert Mader <robert.mader@posteo.de>
Date: Tue, 2 Jul 2019 12:03:12 +0200
Subject: [PATCH xserver 03/24] xwayland: Use buffer_damage instead of surface
Subject: [PATCH xserver 03/25] xwayland: Use buffer_damage instead of surface
damage if available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -28,10 +28,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 7c6f17790d3aedb164481264b0f05a8a14103731)
---
hw/xwayland/xwayland-cursor.c | 12 ++++++------
hw/xwayland/xwayland-present.c | 6 +++---
hw/xwayland/xwayland-present.c | 10 +++++-----
hw/xwayland/xwayland.c | 29 +++++++++++++++++++++++------
hw/xwayland/xwayland.h | 3 +++
4 files changed, 35 insertions(+), 15 deletions(-)
4 files changed, 37 insertions(+), 17 deletions(-)
diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
index 66720bcc0..cbc715061 100644
@ -64,27 +64,31 @@ index 66720bcc0..cbc715061 100644
xwl_cursor->frame_cb = wl_surface_frame(xwl_cursor->surface);
wl_callback_add_listener(xwl_cursor->frame_cb, &frame_listener, xwl_cursor);
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 5ba7dce08..58c32941d 100644
index d177abdd8..f4027f91e 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -495,9 +495,9 @@ xwl_present_flip(WindowPtr present_window,
@@ -505,11 +505,11 @@ xwl_present_flip(WindowPtr present_window,
/* Realign timer */
xwl_present_reset_timer(xwl_present_window);
- wl_surface_damage(xwl_window->surface, 0, 0,
- wl_surface_damage(xwl_window->surface,
- damage_box->x1 - present_window->drawable.x,
- damage_box->y1 - present_window->drawable.y,
- damage_box->x2 - damage_box->x1,
- damage_box->y2 - damage_box->y1);
+ xwl_surface_damage(xwl_window->xwl_screen, xwl_window->surface, 0, 0,
+ xwl_surface_damage(xwl_window->xwl_screen, xwl_window->surface,
+ damage_box->x1 - present_window->drawable.x,
+ damage_box->y1 - present_window->drawable.y,
+ damage_box->x2 - damage_box->x1,
+ damage_box->y2 - damage_box->y1);
wl_surface_commit(xwl_window->surface);
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 2084f2afb..942981834 100644
index a70c1002f..811257b00 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -803,6 +803,16 @@ xwl_destroy_window(WindowPtr window)
@@ -792,6 +792,16 @@ xwl_destroy_window(WindowPtr window)
return ret;
}
@ -101,7 +105,7 @@ index 2084f2afb..942981834 100644
static void
xwl_window_post_damage(struct xwl_window *xwl_window)
{
@@ -839,13 +849,15 @@ xwl_window_post_damage(struct xwl_window *xwl_window)
@@ -828,13 +838,15 @@ xwl_window_post_damage(struct xwl_window *xwl_window)
*/
if (RegionNumRects(region) > 256) {
box = RegionExtents(region);
@ -122,7 +126,7 @@ index 2084f2afb..942981834 100644
}
xwl_window_create_frame_callback(xwl_window);
@@ -904,8 +916,13 @@ registry_global(void *data, struct wl_registry *registry, uint32_t id,
@@ -893,8 +905,13 @@ registry_global(void *data, struct wl_registry *registry, uint32_t id,
struct xwl_screen *xwl_screen = data;
if (strcmp(interface, "wl_compositor") == 0) {
@ -138,7 +142,7 @@ index 2084f2afb..942981834 100644
else if (strcmp(interface, "wl_shm") == 0) {
xwl_screen->shm = wl_registry_bind(registry, id, &wl_shm_interface, 1);
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
index f949ea157..fa78b5ab9 100644
index 91ae21eeb..1244d2e91 100644
--- a/hw/xwayland/xwayland.h
+++ b/hw/xwayland/xwayland.h
@@ -382,6 +382,9 @@ struct xwl_output {
@ -149,8 +153,8 @@ index f949ea157..fa78b5ab9 100644
+ struct wl_surface *surface,
+ int32_t x, int32_t y, int32_t width, int32_t height);
Bool xwl_screen_init_cursor(struct xwl_screen *xwl_screen);
void xwl_screen_roundtrip (struct xwl_screen *xwl_screen);
--
2.25.2
2.28.0

42
0008-xwayland-Add-support-for-randr-resolution-change-emu.patch
View File

@ -1,7 +1,7 @@
From a640802d33e0daccf2d4045ecb3e70cbf56bf0ac Mon Sep 17 00:00:00 2001
From 2f2a6b8556bd104740d76126640abcfe4705047c Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Tue, 2 Jul 2019 11:55:26 +0200
Subject: [PATCH xserver 08/24] xwayland: Add support for randr-resolution
Subject: [PATCH xserver 08/25] xwayland: Add support for randr-resolution
change emulation using viewport
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -37,10 +37,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
4 files changed, 276 insertions(+), 6 deletions(-)
diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
index fa46ac3e7..97b8cd132 100644
index a05d178ff..7d75a8f54 100644
--- a/hw/xwayland/xwayland-input.c
+++ b/hw/xwayland/xwayland-input.c
@@ -486,6 +486,11 @@ dispatch_pointer_motion_event(struct xwl_seat *xwl_seat)
@@ -488,6 +488,11 @@ dispatch_pointer_motion_event(struct xwl_seat *xwl_seat)
int dx = xwl_seat->focus_window->window->drawable.x;
int dy = xwl_seat->focus_window->window->drawable.y;
@ -53,10 +53,10 @@ index fa46ac3e7..97b8cd132 100644
y = dy + sy;
} else {
diff --git a/hw/xwayland/xwayland-output.c b/hw/xwayland/xwayland-output.c
index 82ff5db70..99ab1b288 100644
index 64794dee7..e09d00108 100644
--- a/hw/xwayland/xwayland-output.c
+++ b/hw/xwayland/xwayland-output.c
@@ -408,6 +408,42 @@ err:
@@ -371,6 +371,42 @@ err:
FatalError("Failed to allocate memory for list of RR modes");
}
@ -99,7 +99,7 @@ index 82ff5db70..99ab1b288 100644
static void
apply_output_change(struct xwl_output *xwl_output)
{
@@ -650,21 +686,36 @@ xwl_randr_screen_set_size(ScreenPtr pScreen,
@@ -613,21 +649,36 @@ xwl_randr_screen_set_size(ScreenPtr pScreen,
static Bool
xwl_randr_crtc_set(ScreenPtr pScreen,
RRCrtcPtr crtc,
@ -143,10 +143,10 @@ index 82ff5db70..99ab1b288 100644
static Bool
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index b0e37ceb9..1ab5b3a28 100644
index f422cfc29..87870a5f1 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -176,6 +176,23 @@ xwl_screen_has_resolution_change_emulation(struct xwl_screen *xwl_screen)
@@ -178,6 +178,23 @@ xwl_screen_has_resolution_change_emulation(struct xwl_screen *xwl_screen)
return xwl_screen->rootless && xwl_screen_has_viewport_support(xwl_screen);
}
@ -170,7 +170,7 @@ index b0e37ceb9..1ab5b3a28 100644
static void
xwl_window_set_allow_commits(struct xwl_window *xwl_window, Bool allow,
const char *debug_msg)
@@ -512,6 +529,150 @@ xwl_pixmap_get(PixmapPtr pixmap)
@@ -501,6 +518,150 @@ xwl_pixmap_get(PixmapPtr pixmap)
return dixLookupPrivate(&pixmap->devPrivates, &xwl_pixmap_private_key);
}
@ -321,7 +321,7 @@ index b0e37ceb9..1ab5b3a28 100644
static void
xwl_window_init_allow_commits(struct xwl_window *xwl_window)
{
@@ -582,6 +743,8 @@ ensure_surface_for_window(WindowPtr window)
@@ -571,6 +732,8 @@ ensure_surface_for_window(WindowPtr window)
xwl_window->xwl_screen = xwl_screen;
xwl_window->window = window;
@ -330,7 +330,7 @@ index b0e37ceb9..1ab5b3a28 100644
xwl_window->surface = wl_compositor_create_surface(xwl_screen->compositor);
if (xwl_window->surface == NULL) {
ErrorF("wl_display_create_surface failed\n");
@@ -623,6 +786,7 @@ ensure_surface_for_window(WindowPtr window)
@@ -612,6 +775,7 @@ ensure_surface_for_window(WindowPtr window)
dixSetPrivate(&window->devPrivates, &xwl_window_private_key, xwl_window);
xorg_list_init(&xwl_window->link_damage);
@ -338,7 +338,7 @@ index b0e37ceb9..1ab5b3a28 100644
#ifdef GLAMOR_HAS_GBM
xorg_list_init(&xwl_window->frame_callback_list);
@@ -716,8 +880,12 @@ xwl_unrealize_window(WindowPtr window)
@@ -705,8 +869,12 @@ xwl_unrealize_window(WindowPtr window)
if (!xwl_window)
return ret;
@ -351,7 +351,7 @@ index b0e37ceb9..1ab5b3a28 100644
unregister_damage(window);
if (xwl_window->frame_callback)
@@ -767,6 +935,33 @@ xwl_set_window_pixmap(WindowPtr window,
@@ -756,6 +924,33 @@ xwl_set_window_pixmap(WindowPtr window,
ensure_surface_for_window(window);
}
@ -385,15 +385,15 @@ index b0e37ceb9..1ab5b3a28 100644
static void
frame_callback(void *data,
struct wl_callback *callback,
@@ -1218,6 +1413,7 @@ xwl_screen_init(ScreenPtr pScreen, int argc, char **argv)
@@ -1233,6 +1428,7 @@ xwl_screen_init(ScreenPtr pScreen, int argc, char **argv)
xorg_list_init(&xwl_screen->output_list);
xorg_list_init(&xwl_screen->seat_list);
xorg_list_init(&xwl_screen->damage_window_list);
+ xorg_list_init(&xwl_screen->window_list);
xwl_screen->depth = 24;
xwl_screen->display = wl_display_connect(NULL);
@@ -1316,6 +1512,9 @@ xwl_screen_init(ScreenPtr pScreen, int argc, char **argv)
if (!monitorResolution)
@@ -1332,6 +1528,9 @@ xwl_screen_init(ScreenPtr pScreen, int argc, char **argv)
xwl_screen->CloseScreen = pScreen->CloseScreen;
pScreen->CloseScreen = xwl_close_screen;
@ -404,7 +404,7 @@ index b0e37ceb9..1ab5b3a28 100644
xwl_screen->SetWindowPixmap = pScreen->SetWindowPixmap;
pScreen->SetWindowPixmap = xwl_set_window_pixmap;
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
index 0e6f92e63..9adf3af76 100644
index c886d77e9..36c4c4c8b 100644
--- a/hw/xwayland/xwayland.h
+++ b/hw/xwayland/xwayland.h
@@ -135,10 +135,12 @@ struct xwl_screen {
@ -434,7 +434,7 @@ index 0e6f92e63..9adf3af76 100644
struct wl_callback *frame_callback;
Bool allow_commits;
#ifdef GLAMOR_HAS_GBM
@@ -409,6 +415,9 @@ Bool xwl_screen_init_cursor(struct xwl_screen *xwl_screen);
@@ -411,6 +417,9 @@ Bool xwl_screen_init_cursor(struct xwl_screen *xwl_screen);
struct xwl_screen *xwl_screen_get(ScreenPtr screen);
Bool xwl_screen_has_resolution_change_emulation(struct xwl_screen *xwl_screen);
@ -444,7 +444,7 @@ index 0e6f92e63..9adf3af76 100644
void xwl_tablet_tool_set_cursor(struct xwl_tablet_tool *tool);
void xwl_seat_set_cursor(struct xwl_seat *xwl_seat);
@@ -442,6 +451,12 @@ void xwl_output_remove(struct xwl_output *xwl_output);
@@ -444,6 +453,12 @@ void xwl_output_remove(struct xwl_output *xwl_output);
struct xwl_emulated_mode *xwl_output_get_emulated_mode_for_client(
struct xwl_output *xwl_output, ClientPtr client);
@ -458,5 +458,5 @@ index 0e6f92e63..9adf3af76 100644
float VRefresh, Bool Reduced, Bool Interlaced);
--
2.25.2
2.28.0

26
0013-xwayland-Set-_XWAYLAND_RANDR_EMU_MONITOR_RECTS-prope.patch
View File

@ -1,7 +1,7 @@
From dda4a8b2f672eb5791f39222dd0996e07b416eb7 Mon Sep 17 00:00:00 2001
From 48bc25613f91b69d9ee68e8211f8bf22317aa40a Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 2 Sep 2019 17:32:45 +0200
Subject: [PATCH xserver 13/24] xwayland: Set _XWAYLAND_RANDR_EMU_MONITOR_RECTS
Subject: [PATCH xserver 13/25] xwayland: Set _XWAYLAND_RANDR_EMU_MONITOR_RECTS
property for resolution emulation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -37,7 +37,7 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
3 files changed, 103 insertions(+)
diff --git a/hw/xwayland/xwayland-output.c b/hw/xwayland/xwayland-output.c
index 99ab1b288..20c254962 100644
index e09d00108..0d6b9ac9f 100644
--- a/hw/xwayland/xwayland-output.c
+++ b/hw/xwayland/xwayland-output.c
@@ -29,6 +29,7 @@
@ -46,9 +46,9 @@ index 99ab1b288..20c254962 100644
#include <randrstr.h>
+#include <X11/Xatom.h>
#define DEFAULT_DPI 96
#define ALL_ROTATIONS (RR_Rotate_0 | \
@@ -428,6 +429,80 @@ xwl_output_find_mode(struct xwl_output *xwl_output,
RR_Rotate_90 | \
@@ -391,6 +392,80 @@ xwl_output_find_mode(struct xwl_output *xwl_output,
return NULL;
}
@ -129,7 +129,7 @@ index 99ab1b288..20c254962 100644
void
xwl_output_set_emulated_mode(struct xwl_output *xwl_output, ClientPtr client,
RRModePtr mode, Bool from_vidmode)
@@ -442,6 +517,8 @@ xwl_output_set_emulated_mode(struct xwl_output *xwl_output, ClientPtr client,
@@ -405,6 +480,8 @@ xwl_output_set_emulated_mode(struct xwl_output *xwl_output, ClientPtr client,
xwl_output_add_emulated_mode_for_client(xwl_output, client, mode, from_vidmode);
xwl_screen_check_resolution_change_emulation(xwl_output->xwl_screen);
@ -139,10 +139,10 @@ index 99ab1b288..20c254962 100644
static void
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 85036adfe..e43f3de96 100644
index 9175396f7..32442d88e 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -690,6 +690,27 @@ xwl_screen_check_resolution_change_emulation(struct xwl_screen *xwl_screen)
@@ -679,6 +679,27 @@ xwl_screen_check_resolution_change_emulation(struct xwl_screen *xwl_screen)
xwl_window_check_resolution_change_emulation(xwl_window);
}
@ -170,7 +170,7 @@ index 85036adfe..e43f3de96 100644
static void
xwl_window_init_allow_commits(struct xwl_window *xwl_window)
{
@@ -855,6 +876,8 @@ xwl_realize_window(WindowPtr window)
@@ -844,6 +865,8 @@ xwl_realize_window(WindowPtr window)
return FALSE;
}
@ -180,10 +180,10 @@ index 85036adfe..e43f3de96 100644
}
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
index 9adf3af76..eb8c4bd70 100644
index 36c4c4c8b..1317ae5bb 100644
--- a/hw/xwayland/xwayland.h
+++ b/hw/xwayland/xwayland.h
@@ -418,6 +418,7 @@ Bool xwl_screen_has_resolution_change_emulation(struct xwl_screen *xwl_screen);
@@ -420,6 +420,7 @@ Bool xwl_screen_has_resolution_change_emulation(struct xwl_screen *xwl_screen);
struct xwl_output *xwl_screen_get_first_output(struct xwl_screen *xwl_screen);
void xwl_screen_check_resolution_change_emulation(struct xwl_screen *xwl_screen);
Bool xwl_window_has_viewport_enabled(struct xwl_window *xwl_window);
@ -191,7 +191,7 @@ index 9adf3af76..eb8c4bd70 100644
void xwl_tablet_tool_set_cursor(struct xwl_tablet_tool *tool);
void xwl_seat_set_cursor(struct xwl_seat *xwl_seat);
@@ -456,6 +457,8 @@ RRModePtr xwl_output_find_mode(struct xwl_output *xwl_output,
@@ -458,6 +459,8 @@ RRModePtr xwl_output_find_mode(struct xwl_output *xwl_output,
void xwl_output_set_emulated_mode(struct xwl_output *xwl_output,
ClientPtr client, RRModePtr mode,
Bool from_vidmode);
@ -201,5 +201,5 @@ index 9adf3af76..eb8c4bd70 100644
RRModePtr xwayland_cvt(int HDisplay, int VDisplay,
float VRefresh, Bool Reduced, Bool Interlaced);
--
2.25.2
2.28.0

16
0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
View File

@ -1,7 +1,7 @@
From 87a1a7b9f8f7d848302057b9ca54f6729e82bbe7 Mon Sep 17 00:00:00 2001
From 049333a0ecf8574a0612bf27850f9682f0f70533 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 4 Nov 2019 14:32:29 +0100
Subject: [PATCH xserver 23/24] xwayland: Fix setting of
Subject: [PATCH xserver 23/25] xwayland: Fix setting of
_XWAYLAND_RANDR_EMU_MONITOR_RECTS prop on new windows
For window-manager managed windows, xwl_realize_window is only called for
@ -35,18 +35,18 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 6b86e56bd..e721d6cb5 100644
index 5bb7a68e9..1600c00cd 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -749,6 +749,7 @@ ensure_surface_for_window(WindowPtr window)
@@ -738,6 +738,7 @@ ensure_surface_for_window(WindowPtr window)
struct xwl_screen *xwl_screen;
struct xwl_window *xwl_window;
struct wl_region *region;
+ WindowPtr toplevel;
if (xwl_window_get(window))
if (xwl_window_from_window(window))
return TRUE;
@@ -819,7 +820,14 @@ ensure_surface_for_window(WindowPtr window)
@@ -808,7 +809,14 @@ ensure_surface_for_window(WindowPtr window)
xwl_window_init_allow_commits(xwl_window);
@ -62,7 +62,7 @@ index 6b86e56bd..e721d6cb5 100644
/* CSD or O-R toplevel window, check viewport on creation */
xwl_window_check_resolution_change_emulation(xwl_window);
}
@@ -868,8 +876,6 @@ xwl_realize_window(WindowPtr window)
@@ -857,8 +865,6 @@ xwl_realize_window(WindowPtr window)
return FALSE;
}
@ -72,5 +72,5 @@ index 6b86e56bd..e721d6cb5 100644
}
--
2.25.2
2.28.0

179
CVE-2020-14345.patch
View File

@ -1,179 +0,0 @@
From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:46:32 +0200
Subject: [PATCH] Correct bounds checking in XkbSetNames()
CVE-2020-14345 / ZDI 11428
reference£ºhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 3162574..ca7f44a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
#define CHK_REQ_KEY_RANGE(err,first,num,r) \
CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+ char *cstuff = (char *)stuff;
+ char *cfrom = (char *)from;
+ char *cto = (char *)to;
+
+ return cfrom < cto &&
+ cfrom >= cstuff &&
+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
+ cto >= cstuff &&
+ cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
/***====================================================================***/
int
@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
return BadAccess;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+ return BadLength;
old = tmp;
tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
if (!tmp) {
@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
}
width = (CARD8 *) tmp;
tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+ return BadLength;
type = &xkb->map->types[stuff->firstKTLevel];
for (i = 0; i < stuff->nKTLevels; i++, type++) {
if (width[i] == 0)
@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
type->num_levels, width[i]);
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x08;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->indicators)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
client->swapped, &bad);
if (!tmp) {
@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x09;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->virtualMods)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
(CARD32) stuff->virtualMods,
client->swapped, &bad);
@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x0a;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->groupNames)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
(CARD32) stuff->groupNames,
client->swapped, &bad);
@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
stuff->nKeys);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+ return BadLength;
tmp += stuff->nKeys;
}
if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + (stuff->nKeyAliases * 2)))
+ return BadLength;
tmp += stuff->nKeyAliases * 2;
}
if (stuff->which & XkbRGNamesMask) {
@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + stuff->nRadioGroups))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
/* check device-independent stuff */
tmp = (CARD32 *) &stuff[1];
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbKeycodesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbGeometryNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbPhysSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbTypesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbCompatNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
--
2.27.0

31
CVE-2020-14346.patch
View File

@ -1,31 +0,0 @@
From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:49:04 +0200
Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
Xi/xichangehierarchy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd912..504defe 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
--
2.27.0

32
CVE-2020-14361.patch
View File

@ -1,32 +0,0 @@
From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:52:29 +0200
Subject: [PATCH] Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
xkb/xkbSwap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5f..50cabb9 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--
2.27.0

65
CVE-2020-14362.patch
View File

@ -1,65 +0,0 @@
From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:55:01 +0200
Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
record/record.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/record/record.c b/record/record.c
index f0b739b..05d751a 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
--
2.27.0

BIN
xorg-server-1.20.10.tar.bz2 Normal file
View File

Binary file not shown.

BIN
xorg-server-1.20.8.tar.bz2
View File

Binary file not shown.

11
xorg-x11-server.spec
View File

@ -15,8 +15,8 @@
%global pkgname xorg-server
Name: xorg-x11-server
Version: 1.20.8
Release: 3
Version: 1.20.10
Release: 1
Summary: X.Org X11 X server
License: MIT and GPLv2
URL: https://www.x.org
@ -78,10 +78,6 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch
Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
Patch0029: xorg-s11-server-CVE-2018-20839.patch
Patch0030: CVE-2020-14346.patch
Patch0031: CVE-2020-14361.patch
Patch0032: CVE-2020-14362.patch
Patch0033: CVE-2020-14345.patch
BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git
BuildRequires: systemtap-sdt-devel libtool pkgconfig
@ -324,6 +320,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%{_libdir}/xorg/protocol.txt
%changelog
* Sat Jan 30 2021 jinzhimin<jinzhmin2@huawei.com> - 1.20.10-1
- Upgrade to 1.20.10
* Wed Dec 09 2020 orange-snn<songnannan2@huawei.com> - 1.20.8-3
- Type:CVE
- Id:CVE-2020-14345