| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the length of a message exceeds the maximum length of the buffer, the
buffer size will reach its maximum value and stay there forever, with no
message ever being successfully processed. Since libwayland uses
level-triggered epoll, this will cause the compositor to loop forever
and consume CPU time. In libwayland 1.22 and below, there was an
explicit check that caused messages exceeding 4096 bytes to result in an
EOVERFLOW error, preventing the loop. However, this check was removed
between d074d5290263 ("connection: Dynamically resize connection buffers").
To prevent this problem, always limit the size of messages to 4096 bytes.
Since the default and minimum buffer size is 4096 bytes, this ensures
that a single message will always fit in the buffer. It would be
possible to allow larger messages if the buffer size was larger, but the
maximum size of a message should not depend on the buffer size chosen by
the compositor.
Rejecting messages that exceed 4092 bytes seems to have the advantage of
reserving 4 bits, not 3, in the size field for future use. However,
message sizes in the range [0x0, 0x7] are invalid, so one can obtain a
fourth bit by negating the meaning of bit 12 if bits 0 through 11
(inclusive) are 0. Allowing 4096-byte messages provides the far more
important advantage that regressions compared to 1.22 are impossible
and regressions compared to 1.23 are extremely unlikely. The only case
where a regression is possible is:
- The receiving side is using libwayland 1.23.
- The sending side is either using libwayland 1.23 or is not using
libwayland.
- The sender sends a message exceeding 4096 bytes.
- If the sender of the large message is the client, the server has
increased the buffer size from the default value.
This combination is considered extremely unlikely, as libwayland 1.22
and below would disconnect upon receiving such a large message.
4096-byte messages, however, have always worked, so there was no reason
to avoid sending them.
Fixes: d074d5290263 ("connection: Dynamically resize connection buffers").
Fixes: #494
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
(cherry picked from commit adf84614ca6189fa4efc522408ffbbc4b27ae497)
|
| |
|
|
| |
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
| |
Closes: https://gitlab.freedesktop.org/wayland/wayland/-/issues/515
Signed-off-by: Matt Turner <mattst88@gmail.com>
(cherry picked from commit 53fbc2b0c1dc70b3a96740ab0ceff6a9fe09b940)
|
| |
|
|
|
|
| |
Closes: https://gitlab.freedesktop.org/wayland/wayland/-/issues/514
Signed-off-by: Matt Turner <mattst88@gmail.com>
(cherry picked from commit fdac631d1744d50e6e470bb78bf5057664967e32)
|
| |
|
|
|
| |
Signed-off-by: Matt Turner <mattst88@gmail.com>
(cherry picked from commit 6c1da920185955f7c86af38787c8889203ec3fcb)
|
| |
|
|
|
|
|
|
| |
Previously each value was a list of extra sources. The next commit will add an
additional field to each test, so they need to be dicts themselves.
Signed-off-by: Matt Turner <mattst88@gmail.com>
(cherry picked from commit ca83185e8a28017ff3a2f9edccaa5d35bb86f1d7)
|
| |
|
|
|
|
|
|
| |
Do not override realloc's input pointer before checking for errors,
otherwise it's not possible to keep old value, as intended.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit 0de833da296e59e2495738afc450d1d3cb0314b3)
|
| |
|
|
|
|
|
|
| |
The header offset must not be smaller than file header length.
Ignore such invalid files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit 2978fd701a6987668a4ff41f9434f6c0da705596)
|
| |
|
|
|
|
|
|
|
|
|
| |
If cursor files require more than INT_MAX bytes, it is possible to
trigger out of boundary writes.
Since these sizes are most likely not desired anyway, gracefully
handle these situations like out of memory errors.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit 5c2f31d8d6e5f24962300f4608a0d6f887ca3bea)
|
| |
|
|
|
|
|
|
| |
If the full path could not be constructed, avoid calling opendir(NULL)
which, depending on library, might trigger undefined behavior.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit ce0ac4f29e720688ea94fbe412a0b332304d8ee6)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If an index.theme contains a theme name which gets close to INT_MAX,
then creation of full path can lead to a signed integer overflow,
which is undefined behavior.
Fix this by turning one of the values to size_t. Easy solution for a
probably never occurring issue.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit 1bee7aa4a7d6590f882a61a29da16316ba27c600)
|
| |
|
|
|
| |
Signed-off-by: Kirill Primak <vyivel@eclair.cafe>
(cherry picked from commit 6281ccbd3d98ef0a6503425e3e7d705e3075e265)
|
| |
|
|
|
| |
Signed-off-by: Caitlyn Stewart <caitlynrosestewart@gmail.com>
(cherry picked from commit 827d0c30adc4519fafa7a9c725ff355b1d4fa3bd)
|
| |
|
|
| |
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
|
|
| |
This protocol has been superseded. Replace this outdated reference
with a generic hint that protocol extensions may provide this
functionality.
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
| |
Typos found with codespell and during code audit.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
This is useful for the wayland bindings/scanner I'm working on for a
dynamically typed language.
Signed-off-by: Isaac Freund <mail@isaacfreund.com>
|
| |
|
|
|
|
|
| |
This is useful for the wayland bindings/scanner I'm working on for a
dynamically typed language.
Signed-off-by: Isaac Freund <mail@isaacfreund.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It wasn't explicitly stated that wl_seat.capabilities should also
be sent on bind. Everyone did because it was obviously sensible.
This also clarifies that static seat name should be sent before
announcing capabilities so clients can associate these devices with the
right seat name.
Signed-off-by: David Edmundson <davidedmundson@kde.org>
|
| |
|
|
|
|
|
| |
Parentheses make it so the generated HTML documentation contains
links, which makes navigation easier.
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
|
| |
The paragraph later says that accessing different buffers is
allowed. The function checks whether the same pool is accessed.
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shared memory buffers are currently tied to the lifetime of their
underlying wl_buffer resource. This becomes problematic when the client
destroys the resource after committing new state which references the
wl_buffer because a compositor might have to defer applying the commit.
This commit adds methods to keep the wl_shm_buffer alive longer than the
underlying resource. This implicitly also keeps the buffer pool alive
and because the wl_shm_buffer uses offsets into the pool, it even works
when the underlying storage gets remapped somewhere else, which can
happen when the client resizes the pool.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If the pool refcount reaches zero, it is freed, so accessing its members
is UB which ASan would catch.
Also simplify check for negative refcounts.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sebastian pointed out that the existing text could be read as
wl_buffer.destroy not being allowed before the wl_buffer.release event
arrives, contrary to what the wl_surface.attach description says.
Clarify to be consistent with the latter.
This is a follow-up for
https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/141 .
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
v2:
* Simplify clarification, don't talk about callbacks. (Julian Orth)
* Add reference to details in the description of wl_surface.attach.
(Daniel Stone)
v3:
* Tweak clarification again. (Sebastian Wick)
v4:
* Make clarification even less ambiguous. (Simon Ser, Julian Orth)
v5:
* Just refer to the description of wl_surface.attach instead of trying
to clarify anything here. (Sebastian Wick)
|
| |
|
|
|
|
|
|
|
|
|
| |
This seems to have been the case since 2013.
This is useful for wrappers that need two pointers to identify proxies.
One pointer (stored in the user data) pointing to a singleton object to
identify that the proxy has a known structure. And one pointer (stored
in the dispatcher data) pointing to per-proxy data.
Signed-off-by: Julian Orth <ju.orth@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generated XXX_is_valid() functions for enums are guarded behind the
same #define as the enum itself. This worked fine until recently,
but since fbd7460737c9 ("scanner: add new enum-header mode") we're
also generating enum-only headers.
When including the enum-only header first, and then the server
header, the validator functions are missing.
Define a separate guard to fix this.
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
|
| |
The `timespec` struct is defined in `time.h` header but only if
`_POSIX_C_SOURCE` is set or when using the C11 standard.
Signed-off-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
|
| |
|
|
| |
Signed-off-by: David Redondo <kde@david-redondo.de>
|
| |
|
|
|
| |
Fixes #522
Signed-off-by: David Redondo <kde@david-redondo.de>
|
| |
|
|
|
|
|
|
|
| |
Now that wl_fixed_from_double() calls round() from a function declared
in a header, our users need to explicitly pick that dependency up in
order to avoid build errors.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Closes: wayland/weston#991
|
| |
|
|
|
|
|
|
|
|
|
| |
Add tests which verify that...
* wl_display_dispatch_timeout with a big enough timeout behaves the same
as wl_display_dispatch
* wl_display_dispatch_timeout will time out when there are no messages
to dispatch
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
| |
A variant of wl_display_dispatch_queue_timeout for the default queue.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
For dispatching messages on a queue with a timeout.
This slightly changes the samantics of wl_display_dispatch. Previously
it was possible for it to return even though there wasn't a single
dispatched event. The function correctly returned 0 in this case but it
is now used to indicate a timeout.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
| |
Makes it possible to e.g. `call wl_client_get_credentials` with a `const
struct wl_client *` from a global filter callback.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
|
| |
|
|
|
|
|
| |
This includes an explicit way to specify the container architecture,
which fixes our rebuilds on ARMv7.
Signed-off-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
| |
when cast double to fixed pointer, there will be big
error, eg 1919.9998 to 1919. Call round before cast
to get nearest value 1920 of 1919.9998
Signed-off-by: Haihua Hu <jared.hu@nxp.com>
|
| |
|
|
|
|
|
| |
Prevents undefined behavior if there is not enough space in the buffer
for a queued message.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
| |
|
|
|
|
|
|
|
| |
Calling a function with the wrong type is immediate undefined behavior,
even if the ABI says it should be harmless. UBSAN picks it up
immediately, and any decent control-flow integrity mechanism will as
well.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
| |
|
|
|
|
|
|
|
|
| |
Creating a pointer that is more than one element past the end of an
array is undefined behavior, even if the pointer is not dereferenced.
Avoid this undefined behavior by using `p >= end` instead of
`p + 1 > end` and `SOMETHING > end - p` instead of
`p + SOMETHING > end`.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit describes a new wl_fixes interface that can be used to
destroy wl_registry objects.
Users of libwayland-client should use it as follows:
- call wl_fixes_destroy_registry(registry)
- call wl_registry_destroy(registry)
Users of libwayland-server should, in their implementation of the
request, call wl_resource_destroy(registry).
It should be similar in other protocol implementations.
Signed-off-by: Julian Orth <ju.orth@gmail.com>
|
| |
|
|
| |
Signed-off-by: YaoBing Xiao <xiaoyaobing@uniontech.com>
|
| |
|
|
|
|
|
|
| |
This request doesn't make sense for all surface roles. For instance,
for maximized/tiled/fullscreen xdg_toplevel, for xdg_popup, for
layer-shell surfaces, etc.
Signed-off-by: Simon Ser <contact@emersion.fr>
|
| |
|
|
|
|
|
| |
This allows the compositor to take over the responsibility of repeating
keys.
Signed-off-by: Andri Yngvason <andri@yngvason.is>
|
