Update to xserver 21.1.13.

1 files changed, 106 insertions, 0 deletions

diff --git a/xserver/ChangeLog b/xserver/ChangeLog
index baea527b3..4f60673d6 100644
--- a/xserver/ChangeLog
+++ b/xserver/ChangeLog
@@ -1,3 +1,109 @@
+commit be2767845d6ed3c6dbd25a151051294d0908a995
+Author: Matt Turner <mattst88@gmail.com>
+Date:   Fri Apr 12 13:09:23 2024 -0400
+
+    xserver 21.1.13
+    
+    Signed-off-by: Matt Turner <mattst88@gmail.com>
+
+commit b4ea6f9eb6b9dfb25e92f617889db21348710173
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date:   Fri Apr 5 15:24:49 2024 +0200
+
+    render: Avoid possible double-free in ProcRenderAddGlyphs()
+    
+    ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+    then frees it using FreeGlyph() to decrease the reference count, after
+    AddGlyph() has increased it.
+    
+    AddGlyph() however may chose to reuse an existing glyph if it's already
+    in the glyphSet, and free the glyph that was given, in which case the
+    caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+    already freed glyph, as reported by ASan:
+    
+      READ of size 4 thread T0
+        #0 in FreeGlyph xserver/render/glyph.c:252
+        #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+        #2 in Dispatch xserver/dix/dispatch.c:546
+        #3 in dix_main xserver/dix/main.c:271
+        #4 in main xserver/dix/stubmain.c:34
+        #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+        #6 in __libc_start_main_impl ../csu/libc-start.c:360
+        #7  (/usr/bin/Xwayland+0x44fe4)
+      Address is located 0 bytes inside of 64-byte region
+      freed by thread T0 here:
+        #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+        #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+        #2 in AddGlyph xserver/render/glyph.c:295
+        #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+        #4 in Dispatch xserver/dix/dispatch.c:546
+        #5 in dix_main xserver/dix/main.c:271
+        #6 in main xserver/dix/stubmain.c:34
+        #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+      previously allocated by thread T0 here:
+        #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+        #1 in AllocateGlyph xserver/render/glyph.c:355
+        #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+        #3 in Dispatch xserver/dix/dispatch.c:546
+        #4 in dix_main xserver/dix/main.c:271
+        #5 in main xserver/dix/stubmain.c:34
+        #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+      SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+    
+    To avoid that, make sure not to free the given glyph in AddGlyph().
+    
+    v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+    v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+    
+    Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
+    (cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
+
+commit f54647dfa6e45481282c3650019449379059f113
+Author: Willem Jan Palenstijn <wjp@usecode.org>
+Date:   Sun Mar 31 14:56:58 2024 +0200
+
+    mi: fix rounding issues around zero in miPointerSetPosition
+    
+    Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/577
+    
+    This patch replaces the instances of trunc in miPointerSetPosition by
+    floor, thereby removing the incorrect behaviour with subpixel pointer
+    locations between -1 and 0.
+    
+    This is the relevant code fragment:
+    
+        /* In the event we actually change screen or we get confined, we just
+         * drop the float component on the floor
+         * FIXME: only drop remainder for ConstrainCursorHarder, not for screen
+         * crossings */
+        if (x != trunc(*screenx))
+            *screenx = x;
+        if (y != trunc(*screeny))
+            *screeny = y;
+    
+    The behaviour of this code does not match its comment for subpixel
+    coordinates between -1 and 0. For example, if *screenx is -0.5, the
+    preceding code would (correctly) clamp x to 0, but this would not be
+    detected by this condition, since 0 == trunc(-0.5), leaving *screenx
+    at -0.5, out of bounds.
+    
+    This causes undesirable behaviour in GTK3 code using xi2, where negative
+    subpixel coordinates like this would (to all appearances randomly)
+    remove the focus from windows aligned with the zero boundary when the
+    mouse hits the left or top screen boundaries.
+    
+    The other occurences of trunc in miPointerSetPosition have a more subtle
+    effect which would prevent proper clamping if there is a pointer limit
+    at a negative integer rather than at 0. This patch changes these to
+    floor for consistency.
+    
+    Signed-off-by: Willem Jan Palenstijn <wjp@usecode.org>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1451>
+    (cherry picked from commit 0ee4ed286ea238e2ba2ca57227c3e66aca11f56b)
+
 commit 101caa1b03bc26b718f4618eb24104add5d14a4b
 Author: Povilas Kanapickas <povilas@radix.lt>
 Date:   Wed Apr 3 23:43:42 2024 +0300