commit ebfb06b11955a6c32500b7086be912ab96b753a7
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Dec 20 14:23:57 2017 -0500

    xserver 1.19.6
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 91c42093b248fc61a23cd1f48fec451fa29e122c
Author: Thomas Hellstrom <thellstrom@vmware.com>
Date:   Tue Sep 26 17:28:12 2017 -0700

    glx: Duplicate relevant fbconfigs for compositing visuals
    
    Previously, before GLX_OML_swap_method was fixed, both the X server and
    client ignored the swapMethod fbconfig value, which meant that, if the dri
    driver thought it exposed more than one swapMethod, it actually just
    exported a duplicated set of fbconfigs. When fixing GLX_OML_swap_method
    and restricting the choice for built-in visuals to a single swap method
    that meant we didn't have that many fbconfigs to choose from when pairing
    the compositing visual with an fbconfig, resulting in the fbconfig paired
    with the compositing visual becoming too restrictive for some applications,
    (at least for kwin). This problem would also happen if the dri driver
    only exposed a single swap method to begin with.
    
    So, to make sure the compositing visual gets a good enough fbconfig,
    duplicate fbconfigs that are suitable for compositing visuals and make
    sure these duplicated fbconfigs can be used only by compositing visuals.
    For duplicated fbconfigs not paired with a compositing visual, construct
    new compositing visuals, making compositing clients able to choose visuals
    / fbconfig more adapted to their needs.
    
    This is in some sense equivalent to adding a new "TRUECOLOR_COMPOSITING"
    GLX visualtype.
    
    Fixes: 4486d199bd3b ("glx: Fix visual fbconfig matching with respect to
                          swap method")
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102806
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Tested-By: Nick Sarnie <commendsarnex@gmail.com>
    Tested-by: Fredrik Höglund <fredrik@kde.org>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit f84e59a4f474d22860bac8aec2947798a86db69b)

commit 22b0880df680aee95e21bb8f93d6dd7d3434c681
Author: Thomas Hellstrom <thellstrom@vmware.com>
Date:   Wed Sep 6 16:27:54 2017 +0200

    glx: Fix visual fbconfig matching with respect to swap method
    
    For the built in visuals, we'd typically select the "best" fbconfig
    without considering the swap method. If the client then requests a
    specific swap method, say GLX_SWAP_COPY_OML, it may well happen that the
    first fbconfig matching requirements would have been paired with the 32-bit
    compositing visual, and the client would render a potentially transparent
    window.
    
    Fix this so that we try to match fbconfigs with the same swap method to all
    built-in visuals. That would guarantee that selecting a specific swap-
    method would not influence the chance of getting a compositing visual.
    
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 4486d199bd3bcb5b2b8ad9bc54eb11604d9bd653)

commit 1726badd61358e644b96f7c561ba239a68d87ba6
Author: Thomas Hellstrom <thellstrom@vmware.com>
Date:   Wed Sep 6 16:27:53 2017 +0200

    glx: Work around a GLX_OML swap method in older dri drivers
    
    The swapMethod config member would typically contain an arbitrary value
    on older dri drivers. Fix this so that if we detect an illegal value,
    return GLX_SWAP_UNDEFINED_OML.
    
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 0fc26310d5b09213c65f50bde444a1758172b016)

commit c64bd21d7a732b6b8de0f8f636e93b1d1bb46135
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jan 19 17:20:49 2017 -0500

    glx: Move Composite's synthetic visuals to a different select group
    
    Should you find yourself using a 16bpp display while also using a
    compositor, you poor soul, you may find that your GLX applications
    behave strangely; in particular, glxgears will be transparent. This is
    because it clears to (0,0,0,0) which is transparent if you honor alpha,
    and it will choose the synthetic visual because it has the most
    available r/g/b bits.
    
    To avoid this, bump synthetic visuals to a higher (less-preferred)
    select group. Unless the client explicitly asks for non-zero alpha bits,
    this will prefer any rgb565 visual ahead of the argb8888 visual.
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit ea483af99a6351323afe00a0b630cd63310efdb1)

commit 4c64b20a629287472908ae82a05844feed209dd9
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jan 19 17:20:49 2017 -0500

    glx: Send GLX_VISUAL_SELECT_GROUP_SGIX attribute for visuals
    
    We already send this for fbconfigs. Mesa happens to implement
    glXChooseVisual relative to the fbconfig data, but that might not be
    true of NVIDIA's libGL.
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 43efaa6e4fd903229dc9c508da4177ad4bbdd4d8)

commit 0a73e7bf10d5a9373be5f057fd583c8a5e8e511f
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jul 27 16:02:28 2017 -0400

    composite: Make compIsAlternateVisual safe even if Composite is off
    
    As of ea483af9 we're calling this unconditionally from the GLX code so
    the synthetic visual is in a lower select group. If Composite has been
    disabled then GetCompScreen() will return NULL, and this would crash.
    
    Rather than force the caller to check first, just always return FALSE if
    Composite is disabled (which is correct, since none of the visuals will
    be synthetic in that case).
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
    (cherry picked from commit f80119120c487581ac050ce741808f7c8f438f35)

commit 06d1c83d04a53f506ae3c8c3c86df5ae779b9ca9
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jan 19 17:20:49 2017 -0500

    composite: Export compIsAlternateVisual
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit ef2345aaa28461a76f77c65240ce5facc180f98e)

commit c70d8e5585ddcd3c9f5b4adac15eca1f9178d3c5
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jan 19 17:20:49 2017 -0500

    composite: Remove a misleading comment
    
    This comment is above compIsAlternateVisual, which used to be the only
    thing determining whether implicit redirect was needed. It's not anymore
    due to the redirection exception list. That job is now performed by
    compImplicitRedirect, whose code is self-explanitory.
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit bccbaf7c113b1300071601879002682ebbe8b1c1)

commit dbf97534de61539873717b8e0fcc03f1be6362f8
Author: Tomasz Śniatowski <kailoran@gmail.com>
Date:   Wed Dec 6 12:16:17 2017 +0100

    os: Fix strtok/free crash in ComputeLocalClient
    
    Don't reuse cmd for strtok output to ensure the proper pointer is
    freed afterwards.
    
    The code incorrectly assumed the pointer returned by strtok(cmd, ":")
    would always point to cmd. However, strtok(str, sep) != str if str
    begins with sep. This caused an invalid-free crash when running
    a program under X with a name beginning with a colon.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
    Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit 6883ae43eb72fe4e2651c1dca209563323fad2db)

commit 072dff82817bc02bb4bdb2dad594e6090586bf58
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Dec 5 09:59:06 2017 +0100

    dix: avoid deferencing NULL PtrCtrl
    
    PtrCtrl really makes sense for relative pointing device only, absolute
    devices such as touch devices do not have any PtrCtrl set.
    
    In some cases, if the client issues a XGetPointerControl() immediatlely
    after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
    a NULL pointer dereference will occur leading to a crash of Xwayland.
    
    Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
    return the default control values otherwise, to avoid the NULL pointer
    dereference.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    (cherry picked from commit 9f7a9be13d6449c00c86d3035374f4f543654b3f)

commit f9a55653721980e3921083015ffb39f777606828
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Sep 27 18:01:01 2017 +0200

    xwayland: Fix non-argb cursor conversion
    
    From the bug: "What happens if bits->width is less than 8? :)"
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103012
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
    Reviewed-by: Daniel Stone <daniels@collabora.com>
    (cherry picked from commit 97ac59b1ed3624f7c04e54dd3e3dadfa46a8f170)

commit b832dac751f81d803d33df7c4dd929f77a69c7b0
Author: Adam Jackson <ajax@redhat.com>
Date:   Tue Nov 14 15:15:01 2017 -0500

    glx: Fix glXQueryContext for GLX_FBCONFIG_ID and GLX_RENDER_TYPE (v2)
    
    Just never filled in, oops. Seems to have gone unnoticed because
    normally glXQueryContext simply returns the values filled in by the
    client library when the context was created. The only path by which you
    normally get to a GLXQueryContext request is glXImportContext, and then
    only if the context is already indirect.
    
    However, that's a statement about Mesa's libGL (and anything else that
    inherited that bit of the SGI SI more or less intact). Nothing prevents
    a mischeivous client from issuing that request of a direct context, and
    if they did we'd be in trouble because we never bothered to preserve the
    associated fbconfig in the context state, so we'd crash looking up
    GLX_VISUAL_ID_EXT. So let's fix that too.
    
    v2: Fixed missing preservation of the config in DRI2 (Eric Anholt)
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 5d667df6ea1634191a26f9a7c26bc883701d62b0)

commit ee64427c6c5b22514b4d427fb9cee11b8239baea
Author: Daniel Martin <consume.noise@gmail.com>
Date:   Mon Nov 20 10:47:38 2017 +0100

    os/xdmcp: Honour -once when session is dead
    
    Terminate a dead session when -once was passed. Don't restart it.
    
    Signed-off-by: Daniel Martin <consume.noise@gmail.com>
    Reviewed-by: Walter Harms <wharms@bfs.de>
    (cherry picked from commit 918afeecbc63d70413e222efdb2ac4cfb16eae9e)

commit 5c00e693631475679c1c2504e03177652ec7de28
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Mon Oct 2 11:33:43 2017 +0200

    present: Only send PresentCompleteNotify events to the presenting client
    
    We were sending the events to all clients listening for them on the
    window. But clients can get confused by events from another client, and
    I can't imagine any case where receiving events from other clients would
    be required.
    
    v2:
    * Also restrict events sent to additional windows to the presenting
      client
    * Don't shorten line lengths
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 559954aaa8d811a22cf918cc16a7d618e12201a0)

commit a4bd27bdc8e3569ffa67c1105a2e5cdf0f3de683
Author: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Date:   Thu Nov 9 10:21:19 2017 +0100

    randr: rrGetScreenResources: initialize memory
    
    Similarly to bb766ef11227bd8c71ac65845d1930edd0eda40d, ensure that the
    extra padding is set to 0.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
    (cherry picked from commit fb5ee77b91a93e27801006be8ee34d27984e7fa6)

commit ece2e82ebf597ffda44b4753aa5cb7f5e1d97480
Author: Adam Jackson <ajax@redhat.com>
Date:   Tue Nov 14 15:59:35 2017 -0500

    glx: Only flush indirect contexts in MakeCurrent (v2)
    
    If the context is direct none of the GL commands were issued by this
    process, the server couldn't flush them even if it wanted to.
    
    v2: Fix embarassingly obvious boolean inversion (Michel Dänzer)
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit 307c124d6bcfe26057767b2c0990dc9ac66b9c93)

commit d1a2a2757977bf2f241fd254be821bf96910b587
Author: Hector Martin <marcan@marcan.st>
Date:   Wed Nov 15 03:12:31 2017 +0900

    edid: fix off-by-one error in CEA mode numbering
    
    The CEA extension short video descriptors contain the VIC, which starts
    at 1, not 0.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Hector Martin <marcan@marcan.st>
    (cherry picked from commit 68556d74b49e99d3490166c446079f7d5de26ca4)

commit b3fa60edc412e4c52bc6fa0346217eed0ebc98e3
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 6 16:07:41 2017 -0500

    glx: Fix typos that break GLX_ARB_context_flush_control
    
    The trailing \n are just wrong here, __glXEnableExtension wants a string
    without them.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
    (cherry picked from commit fd0eafb18426da14601d5c0d0a50092c49a7aff8)

commit c010bcb8c36b2ca0bba1b80c9bde63ff89e42ed4
Author: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Date:   Sat Nov 4 23:06:29 2017 +0100

    randr: ProcRRGetOutputInfo: initialize memory
    
    Running Xephyr under valgrind reveals that we're sending some
    uninitialized memory over the wire (particularly, the leftover padding
    that comes from rounding extraLen to the next 32-bit multiple).
    
    Solve by calloc()ing the memory instead of malloc()ing (the alternative
    would be to memset just the padding, but I'm not sure it's more
    convenient.)
    
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit bb766ef11227bd8c71ac65845d1930edd0eda40d)

commit c328570644e3b4dfaf840d057883a4db31976da7
Author: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Date:   Sat Nov 4 23:06:27 2017 +0100

    xkb: initialize tsyms
    
    This fixes some “Conditional jump depends on uninitialized value(s)”
    errors spotted by valgrind.
    
    Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
    (cherry picked from commit b2167015043a458e9cf93b827b43eb5b7c552ce9)

commit c39de5f7358634eb2fea66041e3a3465e8cf6e13
Author: Eric Anholt <eric@anholt.net>
Date:   Tue Oct 31 12:22:31 2017 -0700

    xkb: Print the xkbcomp path being executed when we fail to compile.
    
    I don't know how many times I've had a broken server due to a bad
    directory to xkbcomp, and only finding the whole path has shown me
    where I went wrong.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 30f4d440ebc3517fdcc1d3c6a422a8fbf3af1f23)

commit 5a5b6d6cca469521daa6ac9087f3589b7489ab55
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Sep 26 15:21:59 2017 +1000

    config/udev: consider ID_INPUT_FOO=0 as 'unset'
    
    Historically we didn't need to care about this case but more devices are
    having invalid types set and they cannot be unset with a hwdb entry (which
    doesn't handle the empty string). Allow for "0" to mean "unset" because
    anything else would be crazy anyway.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 5aad81445c8c3d6b7b30d503cfe26027fa482870)

commit 8817747c8587d75c14e00069e8f26e3edb671013
Author: Daniel Martin <consume.noise@gmail.com>
Date:   Fri Oct 27 16:11:55 2017 +0200

    test: signal-logging: Fix looping signed number tests
    
    unsigned_tests[] was used to compute the amount of signed numbers to
    test.
    
    Signed-off-by: Daniel Martin <consume.noise@gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
    (cherry picked from commit 15a32ee5d1fffa171bb05af9a0e5b472e4af1488)

commit e663998fa8bb77bb753abed1e0c12922d4ce1669
Author: Daniel Martin <consume.noise@gmail.com>
Date:   Fri Oct 27 16:11:54 2017 +0200

    test: input: Fix used uninitialized warning in dix_event_to_core
    
    input.c: In function ‘dix_event_to_core’:
    ../include/inputstr.h:61:55: warning: ‘*((void *)&ev+80)’ is used uninitialized in this function [-Wuninitialized]
     #define SetBit(ptr, bit)  (((BYTE *) (ptr))[(bit)>>3] |= (1 << ((bit) & 7)))
                                                           ^~
    
    Signed-off-by: Daniel Martin <consume.noise@gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
    (cherry picked from commit 0bcc65f2bf479c6a74ac70bb5b5181d6834dded6)

commit e8530b872aa4b1648bba7fb3dddaf9abf70100ed
Author: Daniel Martin <consume.noise@gmail.com>
Date:   Fri Oct 27 16:11:53 2017 +0200

    modesetting: Fix potential buffer overflow
    
    If one misconfigures a ZaphodHeads value (more than 20 characters
    without a delimiter), we get an overflow of our buffer.  Use
    xstrtokenize() instead of writing/fixing our own tokenizer.
    
    Signed-off-by: Daniel Martin <consume.noise@gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
    (cherry picked from commit 04a305121fbc08ecc2ef345ee7155d6087a43fd1)

commit 4ef1aef0fbbf47c937cf421f0180cc18fc23a03e
Author: Alex Goins <agoins@nvidia.com>
Date:   Tue Oct 24 18:39:13 2017 -0700

    ramdac: Check ScreenPriv != NULL in xf86ScreenSetCursor()
    
    Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv
    without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL.
    
    Without this fix, it is observed that setting Option "SWCursor" "on" on the
    modesetting driver in a PRIME configuration will segfault the server.
    
    It is important to return success rather than failure in the instance that
    ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor()
    can fall into infinite recursion: xf86SetCursor(pCurs) calls
    xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If
    xf86ScreenSetCursor(NullCursor) returns FALSE, it calls
    xf86SetCursor(NullCursor) again and this repeats forever.
    
    Signed-off-by: Alex Goins <agoins@nvidia.com>
    Reviewed-by: Dave Airlie <airlied@redhat.com>
    (cherry picked from commit 68d95e759f8b6ebca6bd52e69e6bc34cc174f8ca)

commit cd5076a50c0274512bd2ce2c8ecf56c3517d0266
Author: Nikolay Martynov <mar.kolya@gmail.com>
Date:   Wed Sep 13 23:23:13 2017 -0400

    XShmGetImage: fix censoring
    
    It looks like offsets calculated during image censoring are wrong.
    This results in black (empty) images returns.
    
    This fix is very similar to 6c6f09aac7f1d1367a042087b7681c7fdf1d1e0f
    that was applied to XGetImage
    
    Visually this fixes chromium/firefox window sharing in multiscreen
    configurations - without this patch most of the windows on 'secodnary'
    screens are black.
    
    This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730.
    
    Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 885636b7d42b3c7b151fc386d358184db004ce45)

commit a6776111b24f7211c08c7497466f5d9351d0756c
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jun 8 16:23:12 2017 -0400

    xfixes: Remove the CursorCurrent array
    
    We're not wrapping all the ways a cursor can be destroyed, so this array
    ends up with stale data. Rather than try harder to wrap more code paths,
    just look up the cursor when we need it.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit aa6651f83c698e8cc40de61aad36c73ca7a6adcf)

commit b96e982e3a43513549636850186ff80a82190f64
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Oct 12 12:32:31 2017 -0400

    xserver 1.19.5
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 95f605b42d8bbb6bea2834a1abfc205981c5b803
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Fri Jan 9 10:15:46 2015 -0500

    Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
    
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)

commit cc41e5b581d287c56f8d7113a97a4882dcfdd696
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Fri Jan 9 10:09:14 2015 -0500

    dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
    
    v2: Protect against integer overflow (Alan Coopersmith)
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)

commit 6c15122163a2d2615db7e998e8d436815a08dec6
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Wed Dec 24 16:22:18 2014 -0500

    Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)

commit c77cd08efcf386bcc5d8dfbd0427134b2b2d0888
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Fri Jan 9 10:04:41 2015 -0500

    Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
    
    [jcristau: originally this patch fixed the same issue as commit
     211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
     addition of these checks]
    
    This addresses CVE-2017-12179
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)

commit d264da92f7f8129b8aad4f0114a6467fc38fc896
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Sun Dec 21 01:10:03 2014 -0500

    hw/xfree86: unvalidated lengths
    
    This addresses:
    CVE-2017-12180 in XFree86-VidModeExtension
    CVE-2017-12181 in XFree86-DGA
    CVE-2017-12182 in XFree86-DRI
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)

commit 61502107a30d64f991784648c3228ebc6694a032
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Fri Jan 9 11:43:05 2015 -0500

    xfixes: unvalidated lengths (CVE-2017-12183)
    
    v2: Use before swap (Jeremy Huddleston Sequoia)
    
    v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)

commit c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5
Author: Nathan Kidd <nkidd@opentext.com>
Date:   Fri Jan 9 09:57:23 2015 -0500

    Unvalidated lengths
    
    v2: Add overflow check and remove unnecessary check (Julien Cristau)
    
    This addresses:
    CVE-2017-12184 in XINERAMA
    CVE-2017-12185 in MIT-SCREEN-SAVER
    CVE-2017-12186 in X-Resource
    CVE-2017-12187 in RENDER
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)

commit e751722a7b0c5b595794e60b054ade0b3f6cdb4d
Author: Michal Srb <msrb@suse.com>
Date:   Fri Jul 7 17:04:03 2017 +0200

    os: Make sure big requests have sufficient length.
    
    A client can send a big request where the 32B "length" field has value
    0. When the big request header is removed and the length corrected,
    the value will underflow to 0xFFFFFFFF.  Functions processing the
    request later will think that the client sent much more data and may
    touch memory beyond the receive buffer.
    
    Signed-off-by: Eric Anholt <eric@anholt.net>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)

commit 784d205ff6527c761ffbb1c43c9ad3669dd8d26e
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Oct 12 12:17:53 2017 -0400

    Revert "xf86-video-modesetting: Add ms_queue_vblank helper [v3]"
    
    Apparently introduces a regression:
    
    https://bugs.freedesktop.org/103243
    
    This reverts commit 388dc1aeac9acf2d51ad5103570beffd81d78b96.

commit ec37e559614cf4eaba67d3ca0693f09fd95a5d57
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Oct 4 15:29:18 2017 -0400

    xserver 1.19.4
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 12fe3d3e9f494ef84832efe94ba00db92be499b1
Author: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Date:   Wed Sep 27 01:19:58 2017 -0400

    present: Check the whole exec queue on event
    
    Later events are sometimes added in front of the queue (e.g.
    if page flipping fails) so we need to check the whole queue
    on event.
    
    Signed-off-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit c2f2b25ab55c67f9f3ad07c02fa746eae7c61196)

commit 388dc1aeac9acf2d51ad5103570beffd81d78b96
Author: Keith Packard <keithp@keithp.com>
Date:   Fri Sep 29 08:48:33 2017 -0700

    xf86-video-modesetting: Add ms_queue_vblank helper [v3]
    
    This provides an API wrapper around the kernel interface for queueing
    a vblank event, simplifying all of the callers.
    
    v2: Fix missing '|' in computing vbl.request.type
    
    v3: Remove spurious bit of next patch (thanks, Michel Dänzer)
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 677c32bcda98a96585bb1f66b57e0755a157b772)

commit 8bd33a2db7337b2801fc630a57e36b6aeea219d9
Author: Keith Packard <keithp@keithp.com>
Date:   Thu Jul 27 10:08:32 2017 -0700

    xkb: Handle xkb formated string output safely (CVE-2017-13723)
    
    Generating strings for XKB data used a single shared static buffer,
    which offered several opportunities for errors. Use a ring of
    resizable buffers instead, to avoid problems when strings end up
    longer than anticipated.
    
    Reviewed-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)

commit 3094c4c6d879215923f2183ecd048b4f5429b182
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 27 11:54:26 2017 +0200

    xkb: Escape non-printable characters correctly.
    
    XkbStringText escapes non-printable characters using octal numbers. Such escape
    sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
    in the buffer. Due to char->unsigned int conversion, it would print much longer
    string for negative numbers.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)

commit a510fb811100bc27f0bfafe5d073998551161819
Author: Michal Srb <msrb@suse.com>
Date:   Fri Jul 28 16:27:10 2017 +0200

    Xext/shm: Validate shmseg resource id (CVE-2017-13721)
    
    Otherwise it can belong to a non-existing client and abort X server with
    FatalError "client not in use", or overwrite existing segment of another
    existing client.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)

commit 3cea13cc40e2421ebefcf2ee0eb949a7bc4e63fd
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Jun 16 15:44:47 2017 -0400

    dmx: Remove some not-very-interesting debug prints
    
    gcc/glibc think the snprintf in dmxExecOS() might truncate. Yes, it
    might, and we also don't care. Just delete all this.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Acked-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit d6db66811643d3762716f6b144a7358572216a4f)

commit 320e48c9217a8bdcd07dc8ce4aebec043e4afa3c
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Jun 16 15:44:46 2017 -0400

    dmx: Silence an unused-result warning
    
    Modern glibc is very insistent that you care about whether write()
    succeeds:
    
    ../hw/dmx/input/usb-keyboard.c: In function ‘kbdUSBCtrl’:
    ../hw/dmx/input/usb-keyboard.c:292:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
             write(priv->fd, &event, sizeof(event));
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 17ad6e5d5616039021455bc821d6ee2497f7ebde)

commit c5d409a292008c4219c77a1bdb7621eb0ac42991
Author: Jon TURNEY <jon.turney@dronecode.org.uk>
Date:   Mon Jun 26 14:54:04 2017 +0100

    Move statically linked xorgxkb files from dixmods to a separate directory
    
    [ajax: Fixed test/Makefile.am as well]
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit fbdd73fac68383c93f6f5c6a7615860503039999)

commit 359186b13bc6ea6d8c3340c392c0aba5b9376a5d
Author: Dawid Kurek <dawid.kurek@displaylink.com>
Date:   Thu Jul 6 14:51:11 2017 +0200

    modesetting: Blacklist EVDI devices from PRIME sync
    
    UDL (usb) devices are blacklisted because of they weird behaviour when
    it comes to vblank events. As EVDI uses very similar model of handling
    vblanks it should be treated similarly.
    
    When doing a page flip, EVDI does not wait for real vblank, but
    simulates it by adding constant delay. It also does not support
    DRM_IOCTL_WAIT_VBLANK.
    
    In contrast to UDL, EVDI uses platform devices, thus instead of 'usb' in
    path they all have 'platform'.
    
    It is possible to blacklist by 'platform', so without explicitly saying
    'evdi', but it might be misleading when it comes to real reason for it.
    
    Signed-off-by: Dawid Kurek <dawid.kurek@displaylink.com>
    (cherry picked from commit fbd80b2c8ebe9fd41229dc5438524d107c071ff1)

commit 5571318f22f17883e26977a4c72e1e46d17bdf5d
Author: Keith Packard <keithp@keithp.com>
Date:   Mon Sep 25 16:18:22 2017 -0700

    modesetting: Skip no-longer-present connectors when resetting BAD links
    
    Outputs may have NULL mode_output (connector) pointers if the
    connector disappears while the server is running. Skip these when
    resetting outputs with BAD link status.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 37f4e7651a2fd51efa613a08a1e705553be33e76)

commit 787655d5df0c8c43e5e424af3e6e35b8daf54a7d
Author: Martin Peres <martin.peres@linux.intel.com>
Date:   Mon Apr 10 16:48:21 2017 +0300

    modesetting: re-set the crtc's mode when link-status goes BAD
    
    Despite all the careful planning of the kernel, a link may become
    insufficient to handle the currently-set mode. At this point, the
    kernel should mark this particular configuration as being broken
    and potentially prune the mode before setting the offending connector's
    link-status to BAD and send the userspace a hotplug event. This may
    happen right after a modeset or later on.
    
    Upon receiving a hot-plug event, we iterate through the connectors to
    re-apply the currently-set mode on all the connectors that have a
    link-status property set to BAD. The kernel may be able to get the
    link to work by dropping to using a lower link bpp (with the same
    display bpp). However, the modeset may fail if the kernel has pruned
    the mode, so to make users aware of this problem a warning is outputed
    in the logs to warn about having a potentially-black display.
    
    This patch does not modify the current behaviour of always propagating
    the events to the randr clients. This allows desktop environments to
    re-probe the connectors and select a new resolution based on the new
    (currated) mode list if a mode disapeared. This behaviour is expected in
    order to pass the Display Port compliance tests.
    
    Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit bcee1b76aa0db8525b491485e90b8740763d7de6)

commit 126144c2355ce5a3a350f15ef97389c7f34bb6fb
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri May 5 09:04:35 2017 +1000

    xfree86: up the path name size to 512 in xf86MatchDriverFromFiles
    
    ./hw/xfree86/common/xf86pciBus.c: In function ‘xf86MatchDriverFromFiles’:
    ../hw/xfree86/common/xf86pciBus.c:1330:52: warning: ‘snprintf’ output may be
    truncated before the last format character [-Wformat-truncation=]
                 snprintf(path_name, sizeof(path_name), "%s/%s", ^~~~~~~
    ../hw/xfree86/common/xf86pciBus.c:1330:13: note: ‘snprintf’ output between 2
    
    dirent->d_name is 256, so sprintf("%s/%s") into a 256 buffer gives us:
    
    and 257 bytes into a destination of size 256
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 96af794dc648eadcd596893412d7530e92cb5421)

commit a114286c079c42067b001ac330501496e2e297a1
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Sep 6 11:53:02 2017 +1000

    test: fix compiler warning
    
    signal-logging.c:182:12: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit ea82ececbf85a7ac3d0931687f44c57534fde17c)

commit d230e12d7dac4461626d0c6edfd692571592a280
Author: Nick Sarnie <commendsarnex@gmail.com>
Date:   Sat Sep 23 17:35:48 2017 -0400

    suid: Include sysmacros.h to fix build after glibc-2.25
    
    [Added HAVE_SYS_SYSMACROS_H guard - ajax]
    
    Signed-off-by: Nick Sarnie <commendsarnex@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 84e3b96b531363e47f6789aacfcae4aa60135e2e)

commit c5320244a3501aaf9558715e9097a2a625cb768b
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Apr 27 14:45:25 2017 -0400

    xfree86: Silence a new glibc warning
    
    glibc would like to stop declaring major()/minor() macros in
    <sys/types.h> because that header gets included absolutely everywhere
    and unix device major/minor is perhaps usually not what's expected. Fair
    enough. If one includes <sys/sysmacros.h> as well then glibc knows we
    meant it and doesn't warn, so do that if it exists.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit d732c36597fab2e9bc4f2aa72cf1110997697557)

commit 0e79797e3cb3f8fafe271f4f233a8a8fd25f2001
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Aug 30 15:11:45 2017 -0400

    os: Fix warning in LockServer
    
    The meson build gives me:
    
    ../os/utils.c: In function ‘LockServer’:
    ../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
         snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
                                            ^~~~~~~~~
    ../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
         snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Which seems to be due to the %d part meaning that a negative number's -
    sign would be one wider than we're expecting. Fine, just coerce it to
    unsigned.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit aabf65d2a0206bd1a9c6e9a9f3153ded873dfd43)

commit 69ab094a08513849bb68cd2750840e88db6e5933
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Jul 26 16:00:38 2017 +0200

    glamor: Avoid overflow between box32 and box16 box
    
    glamor_compute_transform_clipped_regions() uses a temporary box32
    internally which is copied back to a box16 to init the regions16,
    thus causing a potential overflow.
    
    If an overflow occurs, the given region is invalid and the pixmap
    init region will fail.
    
    Simply check that the coordinates won't overflow when copying back to
    the box16, avoiding a crash later down the line in glamor.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Tested-by: Fabrice Bellet <fabrice@bellet.info>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c)

commit 421814bc81ba8dfaa9be59b8b35b3a9114dbcb8b
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Jul 26 16:00:37 2017 +0200

    glamor: handle NULL source picture
    
    COMPOSITE_REGION() can pass NULL as a source picture, make sure we
    handle that nicely in both glamor_composite_clipped_region() and
    glamor_composite_choose_shader().
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit bd353e9b84e013fc34ed730319d5b63d20977903)

commit baa25315014af350c9c04c2c83beeee36aead042
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Thu Aug 31 10:23:00 2017 +0200

    xwayland: Fix a segfault with pointer locking
    
    Xwayland would crash in some circumstances while trying to issue a
    pointer locking when the cursor is hidden when there is no seat focus
    window set.
    
    The crash signature looks like:
    
     #0  zwp_pointer_constraints_v1_lock_pointer ()
     #1  xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
     #2  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
     #3  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
     #4  xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
     #5  xwl_set_cursor () at xwayland-cursor.c:245
     #6  miPointerUpdateSprite () at mipointer.c:468
     #7  miPointerDisplayCursor () at mipointer.c:206
     #8  CursorDisplayCursor () at cursor.c:150
     #9  AnimCurDisplayCursor () at animcur.c:220
     #10 ChangeToCursor () at events.c:936
     #11 ActivatePointerGrab () at events.c:1542
     #12 GrabDevice () at events.c:5120
     #13 ProcGrabPointer () at events.c:4908
     #14 Dispatch () at dispatch.c:478
     #15 dix_main () at main.c:276
    
    xwl_pointer_warp_emulator_lock() tries to use the surface from the
    xwl_seat->focus_window leading to a NULL pointer dereference when that
    value is NULL.
    
    Check that xwl_seat->focus_window is not NULL earlier in the stack in
    xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
    to avoid the crash.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit cdd0352ba05d4d8482aaca41797e05d40e58da36)

commit 6f29c8375281c0337ab94f7919a70c20149b0fc6
Author: Michal Srb <msrb@suse.com>
Date:   Fri Jul 7 17:21:46 2017 +0200

    Xi: Test exact size of XIBarrierReleasePointer
    
    Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 211e05ac85a294ef361b9f80d689047fa52b9076)

commit c8eb79c1834cef5657e227844111052e0dd78661
Author: Rodrigo Vivi <rodrigo.vivi@intel.com>
Date:   Thu Jun 29 13:29:58 2017 -0700

