sync code with last improvements from OpenBSD

2023-10-26 22:50:19 +00:00 · 2023-10-26 22:50:19 +00:00 · 68fa196282
commit 68fa196282
parent e1ec829e63
30 changed files with 268 additions and 1060 deletions
--- a/xserver/Xi/xiproperty.c
+++ b/xserver/Xi/xiproperty.c
@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
                XIDestroyDeviceProperty(prop);
            return BadAlloc;
        }
-        new_value.size = len;
+        new_value.size = total_len;
        new_value.type = type;
        new_value.format = format;

@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
        case PropModePrepend:
            new_data = new_value.data;
            old_data = (void *) (((char *) new_value.data) +
-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
            break;
        }
        if (new_data)
--- a/xserver/dix/enterleave.h
+++ b/xserver/dix/enterleave.h
@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,

 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);

-extern void LeaveWindow(DeviceIntPtr dev);
-
 extern void CoreFocusEvent(DeviceIntPtr kbd,
                           int type, int mode, int detail, WindowPtr pWin);

--- a/xserver/fb/fb.h
+++ b/xserver/fb/fb.h
@ -410,6 +410,7 @@ typedef struct {
 #endif
    DevPrivateKeyRec    gcPrivateKeyRec;
    DevPrivateKeyRec    winPrivateKeyRec;
+    CloseScreenProcPtr  CloseScreen;
 } FbScreenPrivRec, *FbScreenPrivPtr;

 #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \
--- a/xserver/fb/fbscreen.c
+++ b/xserver/fb/fbscreen.c
@ -29,6 +29,7 @@
 Bool
 fbCloseScreen(ScreenPtr pScreen)
 {
+    FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen);
    int d;
    DepthPtr depths = pScreen->allowedDepths;

@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen)
        free(depths[d].vids);
    free(depths);
    free(pScreen->visuals);
-    if (pScreen->devPrivate)
-        FreePixmap((PixmapPtr)pScreen->devPrivate);
-    return TRUE;
+
+    pScreen->CloseScreen = screen_priv->CloseScreen;
+
+    return pScreen->CloseScreen(pScreen);
 }

 Bool
@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
                   int dpix, int dpiy, int width, int bpp)
 #endif
 {
+    FbScreenPrivPtr screen_priv;
    VisualPtr visuals;
    DepthPtr depths;
    int nvisuals;
@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
                      rootdepth, ndepths, depths,
                      defaultVisual, nvisuals, visuals))
        return FALSE;
-    /* overwrite miCloseScreen with our own */
+
+    screen_priv = fbGetScreenPrivate(pScreen);
+    screen_priv->CloseScreen = pScreen->CloseScreen;
    pScreen->CloseScreen = fbCloseScreen;
+
    return TRUE;
 }

--- a/xserver/hw/vfb/InitOutput.c
+++ b/xserver/hw/vfb/InitOutput.c
@ -727,13 +727,6 @@ vfbCloseScreen(ScreenPtr pScreen)

    pScreen->CloseScreen = pvfb->closeScreen;

-    /*
-     * fb overwrites miCloseScreen, so do this here
-     */
-    if (pScreen->devPrivate)
-        (*pScreen->DestroyPixmap) (pScreen->devPrivate);
-    pScreen->devPrivate = NULL;
-
    return pScreen->CloseScreen(pScreen);
 }

--- a/xserver/include/eventstr.h
+++ b/xserver/include/eventstr.h
@ -335,4 +335,7 @@ union _InternalEvent {
    GestureEvent gesture_event;
 };

+extern void
+LeaveWindow(DeviceIntPtr dev);
+
 #endif
--- a/xserver/mi/mipointer.c
+++ b/xserver/mi/mipointer.c
@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
 #ifdef PANORAMIX
        && noPanoramiXExtension
 #endif
-        )
-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
 }

 /**
--- a/xserver/mi/miscrinit.c
+++ b/xserver/mi/miscrinit.c
@ -249,10 +249,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits,  /* pointer to screen bits */
    pScreen->numVisuals = numVisuals;
    pScreen->visuals = visuals;
    if (width) {
+        pScreen->CloseScreen = miCloseScreen;
 #ifdef MITSHM
        ShmRegisterFbFuncs(pScreen);
 #endif
-        pScreen->CloseScreen = miCloseScreen;
    }
    /* else CloseScreen */
    /* QueryBestSize */
--- a/xserver/randr/rrproperty.c
+++ b/xserver/randr/rrproperty.c
@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
                RRDestroyOutputProperty(prop);
            return BadAlloc;
        }
-        new_value.size = len;
+        new_value.size = total_len;
        new_value.type = type;
        new_value.format = format;

@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
        case PropModePrepend:
            new_data = new_value.data;
            old_data = (void *) (((char *) new_value.data) +
-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
            break;
        }
        if (new_data)