Update to xserver 21.1.13.

6 files changed, 128 insertions, 24 deletions

diff --git a/xserver/ChangeLog b/xserver/ChangeLog
index baea527b3..4f60673d6 100644
--- a/xserver/ChangeLog
+++ b/xserver/ChangeLog
@@ -1,3 +1,109 @@
+commit be2767845d6ed3c6dbd25a151051294d0908a995
+Author: Matt Turner <mattst88@gmail.com>
+Date:   Fri Apr 12 13:09:23 2024 -0400
+
+    xserver 21.1.13
+    
+    Signed-off-by: Matt Turner <mattst88@gmail.com>
+
+commit b4ea6f9eb6b9dfb25e92f617889db21348710173
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date:   Fri Apr 5 15:24:49 2024 +0200
+
+    render: Avoid possible double-free in ProcRenderAddGlyphs()
+    
+    ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+    then frees it using FreeGlyph() to decrease the reference count, after
+    AddGlyph() has increased it.
+    
+    AddGlyph() however may chose to reuse an existing glyph if it's already
+    in the glyphSet, and free the glyph that was given, in which case the
+    caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+    already freed glyph, as reported by ASan:
+    
+      READ of size 4 thread T0
+        #0 in FreeGlyph xserver/render/glyph.c:252
+        #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+        #2 in Dispatch xserver/dix/dispatch.c:546
+        #3 in dix_main xserver/dix/main.c:271
+        #4 in main xserver/dix/stubmain.c:34
+        #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+        #6 in __libc_start_main_impl ../csu/libc-start.c:360
+        #7  (/usr/bin/Xwayland+0x44fe4)
+      Address is located 0 bytes inside of 64-byte region
+      freed by thread T0 here:
+        #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+        #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+        #2 in AddGlyph xserver/render/glyph.c:295
+        #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+        #4 in Dispatch xserver/dix/dispatch.c:546
+        #5 in dix_main xserver/dix/main.c:271
+        #6 in main xserver/dix/stubmain.c:34
+        #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+      previously allocated by thread T0 here:
+        #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+        #1 in AllocateGlyph xserver/render/glyph.c:355
+        #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+        #3 in Dispatch xserver/dix/dispatch.c:546
+        #4 in dix_main xserver/dix/main.c:271
+        #5 in main xserver/dix/stubmain.c:34
+        #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+      SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+    
+    To avoid that, make sure not to free the given glyph in AddGlyph().
+    
+    v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+    v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+    
+    Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
+    (cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
+
+commit f54647dfa6e45481282c3650019449379059f113
+Author: Willem Jan Palenstijn <wjp@usecode.org>
+Date:   Sun Mar 31 14:56:58 2024 +0200
+
+    mi: fix rounding issues around zero in miPointerSetPosition
+    
+    Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/577
+    
+    This patch replaces the instances of trunc in miPointerSetPosition by
+    floor, thereby removing the incorrect behaviour with subpixel pointer
+    locations between -1 and 0.
+    
+    This is the relevant code fragment:
+    
+        /* In the event we actually change screen or we get confined, we just
+         * drop the float component on the floor
+         * FIXME: only drop remainder for ConstrainCursorHarder, not for screen
+         * crossings */
+        if (x != trunc(*screenx))
+            *screenx = x;
+        if (y != trunc(*screeny))
+            *screeny = y;
+    
+    The behaviour of this code does not match its comment for subpixel
+    coordinates between -1 and 0. For example, if *screenx is -0.5, the
+    preceding code would (correctly) clamp x to 0, but this would not be
+    detected by this condition, since 0 == trunc(-0.5), leaving *screenx
+    at -0.5, out of bounds.
+    
+    This causes undesirable behaviour in GTK3 code using xi2, where negative
+    subpixel coordinates like this would (to all appearances randomly)
+    remove the focus from windows aligned with the zero boundary when the
+    mouse hits the left or top screen boundaries.
+    
+    The other occurences of trunc in miPointerSetPosition have a more subtle
+    effect which would prevent proper clamping if there is a pointer limit
+    at a negative integer rather than at 0. This patch changes these to
+    floor for consistency.
+    
+    Signed-off-by: Willem Jan Palenstijn <wjp@usecode.org>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1451>
+    (cherry picked from commit 0ee4ed286ea238e2ba2ca57227c3e66aca11f56b)
+
 commit 101caa1b03bc26b718f4618eb24104add5d14a4b
 Author: Povilas Kanapickas <povilas@radix.lt>
 Date:   Wed Apr 3 23:43:42 2024 +0300
diff --git a/xserver/configure b/xserver/configure
index 20b16a8b9..cd632a467 100644
--- a/xserver/configure
+++ b/xserver/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for xorg-server 21.1.12.
+# Generated by GNU Autoconf 2.71 for xorg-server 21.1.13.
 #
 # Report bugs to <https://gitlab.freedesktop.org/xorg/xserver/issues>.
 #
@@ -682,8 +682,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='xorg-server'
 PACKAGE_TARNAME='xorg-server'
-PACKAGE_VERSION='21.1.12'
-PACKAGE_STRING='xorg-server 21.1.12'
+PACKAGE_VERSION='21.1.13'
+PACKAGE_STRING='xorg-server 21.1.13'
 PACKAGE_BUGREPORT='https://gitlab.freedesktop.org/xorg/xserver/issues'
 PACKAGE_URL=''
 
@@ -2015,7 +2015,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures xorg-server 21.1.12 to adapt to many kinds of systems.
+\`configure' configures xorg-server 21.1.13 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2086,7 +2086,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of xorg-server 21.1.12:";;
+     short | recursive ) echo "Configuration of xorg-server 21.1.13:";;
    esac
   cat <<\_ACEOF
 
@@ -2275,10 +2275,10 @@ Optional Packages:
                           org.x)
   --with-bundle-version=VERSION
                           Version to use for X11.app's CFBundleVersion
-                          (default: 21.1.12)
+                          (default: 21.1.13)
   --with-bundle-version-string=VERSION
                           Version to use for X11.app's
-                          CFBundleShortVersionString (default: 21.1.12)
+                          CFBundleShortVersionString (default: 21.1.13)
   --with-sparkle-feed-url=URL
                           URL for the Sparkle feed (default:
                           https://www.xquartz.org/releases/sparkle/release.xml)
@@ -2493,7 +2493,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-xorg-server configure 21.1.12
+xorg-server configure 21.1.13
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -3150,7 +3150,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by xorg-server $as_me 21.1.12, which was
+It was created by xorg-server $as_me 21.1.13, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3907,7 +3907,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-RELEASE_DATE="2024-04-03"
+RELEASE_DATE="2024-04-12"
 RELEASE_NAME="Caramel Ice Cream"
 
 
@@ -4388,7 +4388,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='xorg-server'
- VERSION='21.1.12'
+ VERSION='21.1.13'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -24439,7 +24439,7 @@ if test ${with_bundle_version+y}
 then :
   withval=$with_bundle_version;  BUNDLE_VERSION="${withval}"
 else $as_nop
-   BUNDLE_VERSION="21.1.12"
+   BUNDLE_VERSION="21.1.13"
 fi
 
 
@@ -33105,7 +33105,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by xorg-server $as_me 21.1.12, which was
+This file was extended by xorg-server $as_me 21.1.13, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -33173,7 +33173,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-xorg-server config.status 21.1.12
+xorg-server config.status 21.1.13
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff --git a/xserver/configure.ac b/xserver/configure.ac
index 76e3432a2..f920909f5 100644
--- a/xserver/configure.ac
+++ b/xserver/configure.ac
@@ -26,8 +26,8 @@ dnl
 dnl Process this file with autoconf to create configure.
 
 AC_PREREQ(2.60)
-AC_INIT([xorg-server], 21.1.12, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
-RELEASE_DATE="2024-04-03"
+AC_INIT([xorg-server], 21.1.13, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
+RELEASE_DATE="2024-04-12"
 RELEASE_NAME="Caramel Ice Cream"
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/xserver/meson.build b/xserver/meson.build
index f91f9343a..9e54a0a6f 100644
--- a/xserver/meson.build
+++ b/xserver/meson.build
@@ -3,10 +3,10 @@ project('xserver', 'c',
             'buildtype=debugoptimized',
             'c_std=gnu99',
         ],
-        version: '21.1.12',
+        version: '21.1.13',
         meson_version: '>= 0.47.0',
 )
-release_date = '2024-04-03'
+release_date = '2024-04-12'
 
 add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
 cc = meson.get_compiler('c')
diff --git a/xserver/mi/mipointer.c b/xserver/mi/mipointer.c
index 8cf003514..8ab814785 100644
--- a/xserver/mi/mipointer.c
+++ b/xserver/mi/mipointer.c
@@ -622,8 +622,8 @@ miPointerSetPosition(DeviceIntPtr pDev, int mode, double *screenx,
     pPointer = MIPOINTER(pDev);
     pScreen = pPointer->pScreen;
 
-    x = trunc(*screenx);
-    y = trunc(*screeny);
+    x = floor(*screenx);
+    y = floor(*screeny);
 
     switch_screen = !point_on_screen(pScreen, x, y);
 
@@ -701,9 +701,9 @@ miPointerSetPosition(DeviceIntPtr pDev, int mode, double *screenx,
      * drop the float component on the floor
      * FIXME: only drop remainder for ConstrainCursorHarder, not for screen
      * crossings */
-    if (x != trunc(*screenx))
+    if (x != floor(*screenx))
         *screenx = x;
-    if (y != trunc(*screeny))
+    if (y != floor(*screeny))
         *screeny = y;
 
     return pScreen;
diff --git a/xserver/render/glyph.c b/xserver/render/glyph.c
index d5fc5f3c9..f5069d42f 100644
--- a/xserver/render/glyph.c
+++ b/xserver/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
                       TRUE, glyph->sha1);
     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
-        FreeGlyphPicture(glyph);
-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
         glyph = gr->glyph;
     }
     else if (gr->glyph != glyph) {