commit b25ad9b8f0ebcc3ebe09ce9991410c60f3a8b2ce
Author: José Expósito <jexposit@redhat.com>
Date:   Tue Oct 29 14:40:34 2024 +0100

    xserver 21.1.14
    
    Signed-off-by: José Expósito <jexposit@redhat.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1734>

commit ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Thu Oct 10 10:37:28 2024 +0200

    xkb: Fix buffer overflow in _XkbSetCompatMap()
    
    The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
    buffer.
    
    However, It didn't update its size properly. It updated `num_si` only,
    without updating `size_si`.
    
    This may lead to local privilege escalation if the server is run as root
    or remote code execution (e.g. x11 over ssh).
    
    CVE-2024-9632, ZDI-CAN-24756
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: José Expósito <jexposit@redhat.com>
    (cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1734>

commit e3e14369c62a3647b8f125d9dcb7072f370c10f1
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sat Oct 14 19:06:22 2023 +0200

    Fix a double-free on syntax error without a new line.
    
    $ echo "#foo\nfoo" > custom_config $ X -config custom_config
    
    will trigger the double free because the contents of xf86_lex_val.str
    have been realloc()ed aready  when free is called in read.c:209.
    
    This copies the lex token and adds all the necessary free() calls to
    avoid leaking it
    
    (cherry picked from commit fbc034e847a3862a0a28e5872135a3c502da6518)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>

commit 4adb5d589f4bb90bf0ff9f1c88096ce60c41286c
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sat Feb 17 16:47:38 2024 +0100

    Return NULL in *cmdname if the client argv or argv[0] is NULL
    
    (cherry picked from commit 59f5445a7ff3ee1468d86f03943c976c790c0893)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>

commit 5f9cac4c34e6212e3e4fc22ff4c182d6013eeafc
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Fri Nov 11 14:58:02 2022 +0100

    Don't crash if the client argv or argv[0] is NULL.
    
    Report from  bauerm at pestilenz dot org.
    
    (cherry picked from commit a8512146ba9f475a384a35337f51c7730ba7b4ce)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>

commit 9d310679476abb150b8b9055ad44132ffbfa0e3b
Author: Enrico Weigelt, metux IT consult <info@metux.net>
Date:   Thu Feb 15 16:15:02 2024 +0100

    Xnest: fix broken exposure events
    
    Xnest fails to properly pass through expose events: the coordinates are
    miscalculated in xnestCollectExposures(), before miSendExposures() is called.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1735
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/132
    Fixes: 605e6764df - Fix Motif menu drawing in Xnest
    Backport-Of: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1397
    Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1651>

commit 00d0eba826bbf4b35becbd3fab1ee10e8b3bb89d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 13:27:45 2024 -0700

    dix: FindBestPixel: fix implicit fallthrough warning
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 9c9e1afeb277030380daa9b22f88b05e1af783a0)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 52813e32f26c16b8210dbf5e4e2be7b8a4406360
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 13:21:14 2024 -0700

    dix: GetPairedDevice: check if GetMaster returned NULL
    
    Clears warning from gcc 14.1:
    
    ../dix/devices.c: In function ‘GetPairedDevice’:
    ../dix/devices.c:2734:15: warning: dereference of NULL ‘dev’
     [CWE-476] [-Wanalyzer-null-dereference]
     2734 |     return dev->spriteInfo? dev->spriteInfo->paired: NULL;
          |            ~~~^~~~~~~~~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit e6fc0861d8016ab31536329acac6d6de4bc64164)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 65644c32b8062dd73b10e5f9092dfb833f469719
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 11:59:07 2024 -0700

    dix: HashResourceID: use unsigned integers for bit shifting
    
    Clears warning from gcc 14.1:
    
    ../dix/resource.c: In function ‘HashResourceID’:
    ../dix/resource.c:691:44: warning: left shift of negative value
     [-Wshift-negative-value]
      691 |     return (id ^ (id >> numBits)) & ~((~0) << numBits);
          |                                            ^~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 26a7ab09eae24fda6cbf51e03f974c7572e80e69)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit f12dd2436f2b70dc2fb8e29bee9dfaf907764ca0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 11:15:03 2024 -0700

    dix: ProcListProperties: skip unneeded work if numProps is 0
    
    No real harm, but clears warning from gcc 14.1:
    
    ../dix/property.c: In function ‘ProcListProperties’:
    ..//dix/property.c:605:27: warning: dereference of NULL ‘temppAtoms’
     [CWE-476] [-Wanalyzer-null-dereference]
      605 |             *temppAtoms++ = pProp->propertyName;
          |             ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 39f337fd497d6fd95efaae9ff5a62d60b49e16aa)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 83a9950d7a8e365d13acaa1c38136d1b9068f4be
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 11:03:41 2024 -0700

    dix: dixChangeWindowProperty: don't call memcpy if malloc failed
    
    It shouldn't matter, since it would have a length of 0, but it
    clears warnings from gcc 14.1:
    
    ../dix/property.c: In function ‘dixChangeWindowProperty’:
    ../dix/property.c:287:9: warning: use of possibly-NULL ‘data’ where
     non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
      287 |         memcpy(data, value, totalSize);
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ../dix/property.c:324:13: warning: use of possibly-NULL ‘data’ where
     non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
      324 |             memcpy(data, value, totalSize);
          |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 10cafd0bbebfbb92c4e73088ba168ef96fcb983c)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 3bca0f56fa509c57715ad9f2f1742d73f6ffee6d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 10:41:33 2024 -0700

    dix: InitPredictableAccelerationScheme: avoid memory leak on failure
    
    Clears warning from gcc 14.1:
    
    ../dix/ptrveloc.c: In function ‘InitPredictableAccelerationScheme’:
    ../dix/ptrveloc.c:149:9: warning: leak of ‘<unknown>’
     [CWE-401] [-Wanalyzer-malloc-leak]
      149 |         free(vel);
          |         ^~~~~~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 462d13c2f6dc25adea1f19e6b621f97b997236af)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 6cefa3a592ce433a203ddc69e0d5bd1d8a0504fd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 10:03:08 2024 -0700

    dix: CreateScratchGC: avoid dereference of pointer we just set to NULL
    
    Clears warning from gcc 14.1:
    
    ../dix/gc.c: In function ‘CreateScratchGC’:
    ../dix/gc.c:818:28: warning: dereference of NULL ‘pGC’
     [CWE-476] [-Wanalyzer-null-dereference]
      818 |     pGC->graphicsExposures = FALSE;
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 7ee3a520184b355820923bc7a955d0834eb8afbd)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit abaf3c6f204a42006ce1da4fc6d8206477d302e5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 09:57:36 2024 -0700

    dix: enterleave.c: fix implicit fallthrough warnings
    
    Clears 7 -Wimplicit-fallthrough warnings from gcc 14.1
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 0cb826e3d0fd366914c34ab18e5917930f6695b4)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 0f10584ec43eb29512ac9c4748eccc7b1d60988b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 09:45:54 2024 -0700

    dix: SetFontPath: don't set errorValue on Success
    
    Clears warning from gcc 14.1:
    
    ../dix/dixfonts.c: In function ‘SetFontPath’:
    ../dix/dixfonts.c:1697:28: warning: use of uninitialized value ‘bad’
     [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
     1697 |         client->errorValue = bad;
          |         ~~~~~~~~~~~~~~~~~~~^~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 1a86fba0d9ae2e107e3ed23519ab3b84d2e5240e)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit f9a5bc6532f76758f7a7fd44047731541ebd23d5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 09:28:19 2024 -0700

    dix: PolyText: fully initialize local_closure
    
    Clears warning from gcc 14.1:
    
    ../dix/dixfonts.c:1352:15: warning: use of uninitialized value ‘*c.data’
     [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
     1352 |         free(c->data);
          |              ~^~~~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit d78836a3a6b827a282957c48898f9ba4cb0dbcf5)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 02e6639547361578e856a079814caef08db5260f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Sep 8 09:17:17 2024 -0700

    dix: check for calloc() failure in Xi event conversion routines
    
    Clears up 12 -Wanalyzer-possible-null-dereference warnings from gcc 14.1
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 25762834c9a5da3a7c672d89a7da73297252d905)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 111dc7058891bd01b117f3984cf5ac701011e053
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jan 22 14:22:12 2024 +1000

    dix: fix valuator copy/paste error in the DeviceStateNotify event
    
    Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
    
    (cherry picked from commit 133e0d651c5d12bf01999d6289e84e224ba77adc)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>

commit 408432fbd0f51d2404bfcfc60f20de8bac1f6178
Author: Konstantin <ria.freelander@gmail.com>
Date:   Sun Jun 26 00:01:54 2022 +0300

    glamor: make use of GL_EXT_texture_format_BGRA8888
    
    For 24 and 32 bit depth pictures xserver uses PICT_x8r8g8b8 and PICT_a8r8g8b8 formats,
    which must be backed with GL_BGRA format. It is present in OpenGL ES 2.0 only with
    GL_EXT_texture_format_BGRA8888 extension. We require such extension in glamor_init,
    so, why not to make use of it?
    Fixes #1208
    Fixes #1354
    
    Signed-off-by: Konstantin Pugin <ria.freelander@gmail.com>
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Emma Anholt <emma@anholt.net>
    (cherry picked from commit 24cd5f34f8edcc6621ed9c0f2b1a3df08de7488d)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1546>

commit 03bbf4b1214b4e9aad153a5969c32264234fe4da
Author: Alexey <fatton2011@yandex.ru>
Date:   Fri Jun 24 15:12:54 2022 +0000

    Fixed mirrored glyphs on big-endian machines
    
    (cherry picked from commit 4cf89222701d73d46c098be9fcc8d9eb6d96f885)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1605>

commit b08cb8141b544788d8607fa31e69c089acdb4fa4
Author: Enrico Weigelt, metux IT consult <info@metux.net>
Date:   Wed Jul 31 15:11:27 2024 +0200

    Xnest: cursor: fix potentially uninitialized memory
    
    It's safer to zero-out the cursor-private memory on allocation,
    instead of relying on being cleared initialized somewhere later.
    
    Fixes: 3f3ff971ec - Replace X-allocation functions with their C89 counterparts
    Backport-Of: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1652
    Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1653>

commit 68129d7369f30e1448f587598d3e2c015329ae38
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Jul 23 17:11:55 2024 +0200

    build: Drop libxcvt requirement from SDK_REQUIRED_MODULES
    
    The SDK doed not need libxcvt, only Xorg and Xwayland do.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1721
    Fixes: a4ab57cb7 - build: Add dependency on libxcvt
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1618>

commit 8407181c7dfe14086d99697af0b86120320ab73e
Author: José Expósito <jexposit@redhat.com>
Date:   Fri Jan 19 13:05:51 2024 +0100

    ephyr: Fix incompatible pointer type build error
    
    Fix a compilation error on 32 bits architectures with gcc 14:
    
      ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
      ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int,  void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32,  void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int,  void *)’} [-Wincompatible-pointer-types]
        154 |     adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
            |                               ^
      ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int *, void *)’} [-Wincompatible-pointer-types]
        155 |     adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
            |                               ^
    
    Build error logs:
    https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
    
    Signed-off-by: José Expósito <jexposit@redhat.com>
    (cherry picked from commit e89edec497bac581ca9b614fb00c25365580f045)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1532>

commit be2767845d6ed3c6dbd25a151051294d0908a995
Author: Matt Turner <mattst88@gmail.com>
Date:   Fri Apr 12 13:09:23 2024 -0400

    xserver 21.1.13
    
    Signed-off-by: Matt Turner <mattst88@gmail.com>

commit b4ea6f9eb6b9dfb25e92f617889db21348710173
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Apr 5 15:24:49 2024 +0200

    render: Avoid possible double-free in ProcRenderAddGlyphs()
    
    ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
    then frees it using FreeGlyph() to decrease the reference count, after
    AddGlyph() has increased it.
    
    AddGlyph() however may chose to reuse an existing glyph if it's already
    in the glyphSet, and free the glyph that was given, in which case the
    caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
    already freed glyph, as reported by ASan:
    
      READ of size 4 thread T0
        #0 in FreeGlyph xserver/render/glyph.c:252
        #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
        #2 in Dispatch xserver/dix/dispatch.c:546
        #3 in dix_main xserver/dix/main.c:271
        #4 in main xserver/dix/stubmain.c:34
        #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 in __libc_start_main_impl ../csu/libc-start.c:360
        #7  (/usr/bin/Xwayland+0x44fe4)
      Address is located 0 bytes inside of 64-byte region
      freed by thread T0 here:
        #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
        #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
        #2 in AddGlyph xserver/render/glyph.c:295
        #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
        #4 in Dispatch xserver/dix/dispatch.c:546
        #5 in dix_main xserver/dix/main.c:271
        #6 in main xserver/dix/stubmain.c:34
        #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      previously allocated by thread T0 here:
        #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
        #1 in AllocateGlyph xserver/render/glyph.c:355
        #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
        #3 in Dispatch xserver/dix/dispatch.c:546
        #4 in dix_main xserver/dix/main.c:271
        #5 in main xserver/dix/stubmain.c:34
        #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
    
    To avoid that, make sure not to free the given glyph in AddGlyph().
    
    v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
    v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
    
    Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
    (cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)

commit f54647dfa6e45481282c3650019449379059f113
Author: Willem Jan Palenstijn <wjp@usecode.org>
Date:   Sun Mar 31 14:56:58 2024 +0200

    mi: fix rounding issues around zero in miPointerSetPosition
    
    Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/577
    
    This patch replaces the instances of trunc in miPointerSetPosition by
    floor, thereby removing the incorrect behaviour with subpixel pointer
    locations between -1 and 0.
    
    This is the relevant code fragment:
    
        /* In the event we actually change screen or we get confined, we just
         * drop the float component on the floor
         * FIXME: only drop remainder for ConstrainCursorHarder, not for screen
         * crossings */
        if (x != trunc(*screenx))
            *screenx = x;
        if (y != trunc(*screeny))
            *screeny = y;
    
    The behaviour of this code does not match its comment for subpixel
    coordinates between -1 and 0. For example, if *screenx is -0.5, the
    preceding code would (correctly) clamp x to 0, but this would not be
    detected by this condition, since 0 == trunc(-0.5), leaving *screenx
    at -0.5, out of bounds.
    
    This causes undesirable behaviour in GTK3 code using xi2, where negative
    subpixel coordinates like this would (to all appearances randomly)
    remove the focus from windows aligned with the zero boundary when the
    mouse hits the left or top screen boundaries.
    
    The other occurences of trunc in miPointerSetPosition have a more subtle
    effect which would prevent proper clamping if there is a pointer limit
    at a negative integer rather than at 0. This patch changes these to
    floor for consistency.
    
    Signed-off-by: Willem Jan Palenstijn <wjp@usecode.org>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1451>
    (cherry picked from commit 0ee4ed286ea238e2ba2ca57227c3e66aca11f56b)

commit 101caa1b03bc26b718f4618eb24104add5d14a4b
Author: Povilas Kanapickas <povilas@radix.lt>
Date:   Wed Apr 3 23:43:42 2024 +0300

    xserver 21.1.12
    
    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>

commit 1173156404be826f50f453ca11bda28ccb5a5268
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jan 30 13:13:35 2024 +1000

    render: fix refcounting of glyphs during ProcRenderAddGlyphs
    
    Previously, AllocateGlyph would return a new glyph with refcount=0 and a
    re-used glyph would end up not changing the refcount at all. The
    resulting glyph_new array would thus have multiple entries pointing to
    the same non-refcounted glyphs.
    
    AddGlyph may free a glyph, resulting in a UAF when the same glyph
    pointer is then later used.
    
    Fix this by returning a refcount of 1 for a new glyph and always
    incrementing the refcount for a re-used glyph, followed by dropping that
    refcount back down again when we're done with it.
    
    CVE-2024-31083, ZDI-CAN-22880
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
    (cherry picked from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)

commit 0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Mar 22 19:07:34 2024 -0700

    Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply
    
    CVE-2024-31082
    
    Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
    (cherry picked from commit 6c684d035c06fd41c727f0ef0744517580864cef)

commit cea92ca78f900bfb4c9a5540dfd631e065b9151b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Mar 22 18:56:27 2024 -0700

    Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
    
    CVE-2024-31081
    
    Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
    (cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)

commit 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Mar 22 18:51:45 2024 -0700

    Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply
    
    CVE-2024-31080
    
    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
    Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
    (cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)

commit 5ca3a95135d9c89753e2af19da5a2615ea2be1c3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu Mar 21 18:08:35 2024 -0700

    Xext: SProcSyncCreateFence needs to swap drawable id too
    
    Otherwise it causes the server to return BadDrawable giving a
    byte-swapped resource id instead of the real id the client sent.
    
    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
    Fixes: 397dfd9f8 ("Create/Destroy/Trigger/Reset/Query Fence Sync objs")
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    ---
    (cherry picked from commit e6573baa7d99a77f44229b9a96a41bbda57e2387)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1438>

commit 5d7272f05d9ef6bef93419febee3c9dfc63ec055
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Sat Mar 23 10:42:33 2024 -0700

    Allow disabling byte-swapped clients
    
    The X server swapping code is a huge attack surface, much of this code
    is untested and prone to security issues. The use-case of byte-swapped
    clients is very niche, so allow users to disable this if they don't
    need it, using either a config option or commandline flag.
    
    For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "off".
    For all DDX, this adds the commandline options +byteswappedclients and
    -byteswappedclients to enable or disable, respectively.
    
    Fixes #1201
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    ---
    (cherry picked from commit 412777664a20dd3561b936c02c96571a756fe9b2)
    (cherry picked from commit af5cd5acc9012e527ee869f8e98bf6c2e9a02ca4)
    Backport to server-21.1-branch modified to keep byte-swapping enabled
    by default but easy to disable by users or admins (or even by distros
    shipping an xorg.conf.d fragment in their packages).
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1440>

commit 8a46a463f631ed52613d67f4088924acbbb6ca20
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sun Dec 5 22:05:08 2021 +0100

    Initialize Mode->name in xf86CVTMode()
    
    This was overlooked when converting the function to use libxcvt.
    Bring back name initialization from old code.
    
    This was causing a segfault in xf86LookupMode() if modes where
    name is NULL are present the modePool list.
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    ---
    (cherry picked from ed11c4d443ad2e82512df64358d38008e0ee7693)
    
    Reported-by: "Sergiy" <Black_N@ukr.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1319>

commit f653d9a0af912e577fab5c02b2a4eb380d33e8bb
Author: Yusuf Khan <yusisamerican@gmail.com>
Date:   Sat Feb 17 12:38:10 2024 -0800

    hw/xfree86: fix NULL pointer refrence to mode name
    
    Potentially, the pointer to the mode name could be unset, this can
    occur with the xf86-video-nv DDX, in that case there isnt much we can do
    except check if the next mode is any better.
    
    Signed-off-by: Yusuf Khan <yusisamerican@gmail.com>
    ---
    (cherry picked from db3aa4e03b180244e8b4b02272c49f1e0c48b463)
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1309>

commit 8b75ec34dfbe435cd3a17e64138e22a37395a6d8
Author: Povilas Kanapickas <povilas@radix.lt>
Date:   Sun Dec 19 18:11:07 2021 +0200

    dix: Fix use after free in input device shutdown
    
    This fixes access to freed heap memory via dev->master. E.g. when
    running BarrierNotify.ReceivesNotifyEvents/7 test from
    xorg-integration-tests:
    
    ==24736==ERROR: AddressSanitizer: heap-use-after-free on address
    0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
    READ of size 4 at 0x619000065020 thread T0
        #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
        #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
        #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
    ../../../Xi/xichangehierarchy.c:95
        #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
    ../../../hw/xfree86/common/xf86Xinput.c:1142
        #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
        #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
        #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
        #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
        #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
    
    0x619000065020 is located 160 bytes inside of 912-byte region
    [0x619000064f80,0x619000065310)
    freed by thread T0 here:
    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
        #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
        #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
    ../../../hw/xfree86/common/xf86Xinput.c:1142
        #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
        #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
        #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
        #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    
    previously allocated by thread T0 here:
    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
        #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
        #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
        #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
    ../../../Xi/xichangehierarchy.c:465
        #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
        #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
        #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
        #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    
    The problem is caused by dev->master being not reset when disabling the
    device, which then causes dangling pointer when the master device itself
    is being deleted when exiting whole server.
    
    Note that RecalculateMasterButtons() requires dev->master to be still
    valid, so we can reset it only at the end of function.
    
    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
    (cherry picked from commit 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41)

commit 31407c0199da877b359b2e37bb371804321279b7
Author: José Expósito <jose.exposito89@gmail.com>
Date:   Tue Jan 16 10:15:15 2024 +0100

    xserver 21.1.11
    
    Signed-off-by: José Expósito <jose.exposito89@gmail.com>

commit a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Dec 6 11:51:56 2023 +0100

    ephyr,xwayland: Use the proper private key for cursor
    
    The cursor in DIX is actually split in two parts, the cursor itself and
    the cursor bits, each with their own devPrivates.
    
    The cursor itself includes the cursor bits, meaning that the cursor bits
    devPrivates in within structure of the cursor.
    
    Both Xephyr and Xwayland were using the private key for the cursor bits
    to store the data for the cursor, and when using XSELINUX which comes
    with its own special devPrivates, the data stored in that cursor bits'
    devPrivates would interfere with the XSELINUX devPrivates data and the
    SELINUX security ID would point to some other unrelated data, causing a
    crash in the XSELINUX code when trying to (re)use the security ID.
    
    CVE-2024-0409
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7)

commit 8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Dec 6 12:09:41 2023 +0100

    glx: Call XACE hooks on the GLX buffer
    
    The XSELINUX code will label resources at creation by checking the
    access mode. When the access mode is DixCreateAccess, it will call the
    function to label the new resource SELinuxLabelResource().
    
    However, GLX buffers do not go through the XACE hooks when created,
    hence leaving the resource actually unlabeled.
    
    When, later, the client tries to create another resource using that
    drawable (like a GC for example), the XSELINUX code would try to use
    the security ID of that object which has never been labeled, get a NULL
    pointer and crash when checking whether the requested permissions are
    granted for subject security ID.
    
    To avoid the issue, make sure to call the XACE hooks when creating the
    GLX buffers.
    
    Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
    
    CVE-2024-0408
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3)

commit 5c4816afa7722ea47d1a7dea983a953e7b454d26
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Jan 5 09:40:27 2024 +1000

    dix: when disabling a master, float disabled slaved devices too
    
    Disabling a master device floats all slave devices but we didn't do this
    to already-disabled slave devices. As a result those devices kept their
    reference to the master device resulting in access to already freed
    memory if the master device was removed before the corresponding slave
    device.
    
    And to match this behavior, also forcibly reset that pointer during
    CloseDownDevices().
    
    Related to CVE-2024-21886, ZDI-CAN-22840
    
    (cherry picked from commit 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8)

commit 7b5694368b3f3b039fb523e66b816c1323f3cc39
Author: José Expósito <jexposit@redhat.com>
Date:   Fri Dec 22 18:28:31 2023 +0100

    Xi: do not keep linked list pointer during recursion
    
    The `DisableDevice()` function is called whenever an enabled device
    is disabled and it moves the device from the `inputInfo.devices` linked
    list to the `inputInfo.off_devices` linked list.
    
    However, its link/unlink operation has an issue during the recursive
    call to `DisableDevice()` due to the `prev` pointer pointing to a
    removed device.
    
    This issue leads to a length mismatch between the total number of
    devices and the number of device in the list, leading to a heap
    overflow and, possibly, to local privilege escalation.
    
    Simplify the code that checked whether the device passed to
    `DisableDevice()` was in `inputInfo.devices` or not and find the
    previous device after the recursion.
    
    CVE-2024-21886, ZDI-CAN-22840
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit bc1fdbe46559dd947674375946bbef54dd0ce36b)

commit 6236342157b9ddc9a4ebb3438e469a8cb37eaecb
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Jan 4 10:01:24 2024 +1000

    Xi: flush hierarchy events after adding/removing master devices
    
    The `XISendDeviceHierarchyEvent()` function allocates space to store up
    to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
    
    If a device with a given ID was removed and a new device with the same
    ID added both in the same operation, the single device ID will lead to
    two info structures being written to `info`.
    
    Since this case can occur for every device ID at once, a total of two
    times `MAXDEVICES` info structures might be written to the allocation.
    
    To avoid it, once one add/remove master is processed, send out the
    device hierarchy event for the current state and continue. That event
    thus only ever has exactly one of either added/removed in it (and
    optionally slave attached/detached).
    
    CVE-2024-21885, ZDI-CAN-22744
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1)

commit 8887cb1f27c72324b50383b644cefb960e21f5ff
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Dec 21 13:48:10 2023 +1000

    Xi: when creating a new ButtonClass, set the number of buttons
    
    There's a racy sequence where a master device may copy the button class
    from the slave, without ever initializing numButtons. This leads to a
    device with zero buttons but a button class which is invalid.
    
    Let's copy the numButtons value from the source - by definition if we
    don't have a button class yet we do not have any other slave devices
    with more than this number of buttons anyway.
    
    CVE-2024-0229, ZDI-CAN-22678
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit df3c65706eb169d5938df0052059f3e0d5981b74)

commit 7173a8911ebeaa7c9c12bd64a2ba9c8685c6593c
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Dec 18 12:26:20 2023 +1000

    dix: fix DeviceStateNotify event calculation
    
    The previous code only made sense if one considers buttons and keys to
    be mutually exclusive on a device. That is not necessarily true, causing
    a number of issues.
    
    This function allocates and fills in the number of xEvents we need to
    send the device state down the wire.  This is split across multiple
    32-byte devices including one deviceStateNotify event and optional
    deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
    deviceValuator events.
    
    The previous behavior would instead compose a sequence
    of [state, buttonstate, state, keystate, valuator...]. This is not
    protocol correct, and on top of that made the code extremely convoluted.
    
    Fix this by streamlining: add both button and key into the deviceStateNotify
    and then append the key state and button state, followed by the
    valuators. Finally, the deviceValuator events contain up to 6 valuators
    per event but we only ever sent through 3 at a time. Let's double that
    troughput.
    
    CVE-2024-0229, ZDI-CAN-22678
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit 219c54b8a3337456ce5270ded6a67bcde53553d5)

commit c494debaa76c923621e6b9f54bbd59ed47842b30
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Dec 18 14:27:50 2023 +1000

    dix: Allocate sufficient xEvents for our DeviceStateNotify
    
    If a device has both a button class and a key class and numButtons is
    zero, we can get an OOB write due to event under-allocation.
    
    This function seems to assume a device has either keys or buttons, not
    both. It has two virtually identical code paths, both of which assume
    they're applying to the first event in the sequence.
    
    A device with both a key and button class triggered a logic bug - only
    one xEvent was allocated but the deviceStateNotify pointer was pushed on
    once per type. So effectively this logic code:
    
       int count = 1;
       if (button && nbuttons > 32) count++;
       if (key && nbuttons > 0) count++;
       if (key && nkeys > 32) count++; // this is basically always true
       // count is at 2 for our keys + zero button device
    
       ev = alloc(count * sizeof(xEvent));
       FixDeviceStateNotify(ev);
       if (button)
         FixDeviceStateNotify(ev++);
       if (key)
         FixDeviceStateNotify(ev++);   // santa drops into the wrong chimney here
    
    If the device has more than 3 valuators, the OOB is pushed back - we're
    off by one so it will happen when the last deviceValuator event is
    written instead.
    
    Fix this by allocating the maximum number of events we may allocate.
    Note that the current behavior is not protocol-correct anyway, this
    patch fixes only the allocation issue.
    
    Note that this issue does not trigger if the device has at least one
    button. While the server does not prevent a button class with zero
    buttons, it is very unlikely.
    
    CVE-2024-0229, ZDI-CAN-22678
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit ece23be888a93b741aa1209d1dbf64636109d6a5)

commit 4e78bc3a6e593f70aa5306b314edbec03d2f9081
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Dec 14 11:29:49 2023 +1000

    dix: allocate enough space for logical button maps
    
    Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
    each logical button currently down. Since buttons can be arbitrarily mapped
    to anything up to 255 make sure we have enough bits for the maximum mapping.
    
    CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3)

commit c338d19f743ca5872ff74d6f2ce5d37d3b7f4a2a
Author: Michael Wyraz <mw@brick4u.de>
Date:   Fri Oct 14 15:07:27 2022 +0200

    Removing the code that deletes an existing monitor in RRMonitorAdd
    
    In commit 7e1f86d4 monitor support was added to randr. At this time it seemed to be reasonable not to have
    more than one (virtual) monitor on a particular physical display. The code was never changed since.
    
    Nowadays, extremely large displays exists (4k displays, ultra-wide displays). In some use cases it makes sense to
    split these large physical displays into multiple virtual monitors. An example are ultra-wide screens that can be
    split into 2 monitors. The change in this commit makes this work.
    
    Besides that, removing a monitor in a function that is called "RRMonitorAdd" is bad practice and causes
    unexpected behaviour.

commit 15e2409776014b41c77f7da7aeb9520613994d27
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Dec 13 11:12:59 2023 +1000

    xserver 21.1.10
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit a7bda3080d2b44eae668cdcec7a93095385b9652
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Nov 28 15:19:04 2023 +1000

    Xi: allocate enough XkbActions for our buttons
    
    button->xkb_acts is supposed to be an array sufficiently large for all
    our buttons, not just a single XkbActions struct. Allocating
    insufficient memory here means when we memcpy() later in
    XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
    leading to the usual security ooopsiedaisies.
    
    CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)

