Explicitly state that the invalid_finish protocol error would be raised
when wl_data_offer.finish request is sent for non drag-and-drop
operations.
Signed-off-by: Harish Krupo <harishkrupo@gmail.com>
The docbook-xsl package includes all the stylesheets required to build
the docs without internet access.
Test:
One way to emulate missing style sheets is to move /etc/xml/catalog file
to a different location. Doing so should cause configure to fail with
"checking for docbook stylesheets... no"
v2: add AC_MSG_RESULT (Pekka)
Signed-off-by: Harish Krupo <harishkrupo@gmail.com>
The size argument to wl_connection_demarshal() is taken from the message by the
caller wl_client_connection_data(), therefore 'size' is untrusted data
controllable by a Wayland client. The size should always be at least the header
size, otherwise the header is invalid.
If the size is smaller than header size, it leads to reading past the end of
allocated memory. Furthermore if size is zero, wl_closure_init() changes
behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
memory.
Check that 'size' fits at least the header. The space for arguments is already
properly checked.
This makes the request_bogus_size test free of errors under Valgrind.
Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
This attempts to reproduce the error conditions from
https://gitlab.freedesktop.org/wayland/wayland/issues/52 and make it crash.
While the crash was repeatable in my tests, it depends on garbage on stack
leading to access of invalid memory, which is not guaranteed.
This is a FAIL_TEST, so that the following fix commit can be verified.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
The experience from Weston shows that the Gitlab merge request based workflow
works really well. Recently there have also been issues with the mailing list
that have made the email based workflow more painful than it used to be. Those
issues might have been temporary or occasional, but they probably are only
going to increase.
The MR workflow is different, it has its issues
(https://gitlab.freedesktop.org/freedesktop/freedesktop/issues/74) and we
likely lose the explicit Reviewed-by etc. tags from commit messages, but it is
also much easier to work with: no more whitespace damaged patches, lost email,
setting up git-send-email; we gain automated CI before any human reviewer even
looks at anything, and people can jump in to an ongoing discussion even if they
weren't subscribed before.
If you still want email, you can subscribe to that selectively(!) in Gitlab
yourself.
This text has been copied from Weston's CONTRIBUTING.md of the 5.0.91 release
and slightly altered for Wayland.
Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/49
v2: fixed two left-over mentions of Weston
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
v1 Reviewed-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Scott Anderson <scott.anderson@collabora.com>
Acked-by: Ian Ray <ian.ray@ge.com>
Acked-by: Derek Foreman <derek.foreman.wayland@gmail.com>
The definition of wl_argument in wayland-util.h references wl_object,
so wl_object ought to be defined in wayland-util.h. This resolves
gitlab issue #78.
Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/78
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
So far I got these errors before patching:
libtool: link: cc -o .libs/headers-test -pthread -Wall -Wextra -Wno-unused-parameter -g -Wstrict-prototypes -Wmissing-prototypes -fvisibility=hidden -O2 -pipe tests/headers-test.o tests/headers-protocol-test.o tests/headers-protocol-core-test.o /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a -L.libs -lwayland-client -lffi -lm -lwayland-server -lkvm -Wl,-rpath-link,/usr/local/lib
ld: error: duplicate symbol: main
>>> defined at headers-test.c:53 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/headers-test.c:53)
>>> tests/headers-test.o:(main)
>>> defined at test-runner.c:377 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/test-runner.c:377)
>>> test-runner.o:(.text+0x250) in archive /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a
libtool: link: cc -o .libs/exec-fd-leak-checker -pthread -Wall -Wextra -Wno-unused-parameter -g -Wstrict-prototypes -Wmissing-prototypes -fvisibility=hidden -O2 -pipe tests/exec-fd-leak-checker.o /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a -L.libs -lwayland-client -lffi -lm -lwayland-server -lkvm -Wl,-rpath-link,/usr/local/lib
ld: error: duplicate symbol: main
>>> defined at exec-fd-leak-checker.c:57 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/exec-fd-leak-checker.c:57)
>>> tests/exec-fd-leak-checker.o:(main)
>>> defined at test-runner.c:377 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/test-runner.c:377)
>>> test-runner.o:(.text+0x250) in archive /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a
Makefile.am: error: object 'tests/test-helpers.$(OBJEXT)' created both with libtool and without
libtool: link: cc -o .libs/fixed-benchmark -pthread -Wall -Wextra -Wno-unused-parameter -g -Wstrict-prototypes -Wmissing-prototypes -fvisibility=hidden -O2 -pipe tests/fixed-benchmark.o /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a -L.libs -lwayland-client -lffi -lm -lwayland-server -lkvm -Wl,-rpath-link,/usr/local/lib
ld: error: duplicate symbol: main
>>> defined at fixed-benchmark.c:100 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/fixed-benchmark.c:100)
>>> tests/fixed-benchmark.o:(main)
>>> defined at test-runner.c:377 (/tmp/obj/wayland-1.16.0/wayland-1.16.0/tests/test-runner.c:377)
>>> test-runner.o:(.text+0x250) in archive /tmp/obj/wayland-1.16.0/build-amd64/.libs/libtest-runner.a
This commit fixes all of that.
Signed-off-by: Leonid Bobrov <mazocomp@disroot.org>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
All wl_output properties don't always make sense for all
compositors.
Some compositors might not implement a "global compositor space",
(e.g. 3D compositors) in which case properties like x and y don't
make sense.
Some compositors might expose virtual outputs, in which case modes,
make and model are not relevant.
In a lot of these situations, information from xdg_output is better
suited.
Compositors also expose output refresh rate, which shouldn't be used
for synchronization purposes.
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derek.foreman.wayland@gmail.com>
Upstream SDL supports Wayland since v2.0.4 (June 2015):
https://forums.libsdl.org/viewtopic.php?t=11294
Just set SDL_VIDEODRIVER=wayland and SDL will do the right thing :)
Signed-off-by: Eric Engestrom <eric.engestrom@intel.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Calling printf("%s", NULL) is undefined behaviour.
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Many languages such as C++ or Rust have an unwinding error-reporting
mechanism. Code in these languages can (and must!) wrap request handling
callbacks in unwind guards to avoid undefined behaviour.
As a consequence such code will detect internal server errors, but have
no way to communicate such failures to the client.
This adds a WL_DISPLAY_ERROR_IMPLEMENTATION error to wl_display so that
such code can notify (and disconnect) clients which hit internal bugs.
While servers can currently abuse other wl_display errors for the same
effect, adding an explicit error code allows clients to tell the
difference between errors which are their fault and errors which are the
server's fault. This is particularly interesting for automated bug
reporting.
v2: Rename error from "internal" to "implementation", in sympathy with
X11's BadImplementation error.
Add more justification in the commit message.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
This will allow other wrappers around wl_resource_post_error to accept
variable argument lists.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
This commit makes wl_surface.damage_buffer preferred over wl_surface.damage.
wl_surface.damage can be implemented in a non-optimal way by the compositor
(e.g. by always damaging the whole buffer).
Having two requests makes it complicated for the compositor to handle damage,
making it necessary to transform one into the other's coordinates.
Moreover, integration with wp_viewporter is tricky.
Signed-off-by: Simon Ser <contact@emersion.fr>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Weston commit 76829fc4eaea329d2a525c3978271e13bd76c078 (and similar
commits for other compositors) protects the compositor's keyboard
mapping from client damage by duplicating the keymap for every
client.
On some systems there are other potential fixes for this - such as
using sealed memfds on linux - but we can't use them since
essentially all client code anywhere has mapped the keyboard map
with a MAP_SHARED mmap() call.
While we can't break years worth of code, we can require any future
clients to use MAP_PRIVATE if they use a seat version above 6.
If a compositor can't use sealing or a similar facility, it should
still protect itself with copied keymaps, but clients must always
assume shared mapping of a keymap will fail.
Signed-off-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Philipp Kerling <pkerling@casix.org>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
There are far better ways to detect memory leaks, such as either
valgrind or ASan. Having Meson makes it really easy to use these tools
in our tests, and we can do that in CI as well.
Having these local wrappers actually completely broke ASan usage, so
remove them in favour of using the more powerful options.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Clang will rightly point out that example_sockaddr_un in socket-test
will get discarded from the compilation unit as it is completely unused.
Put in a couple of lines which of no value other than stopping Clang
from complaining.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Clang warns that it can silently discard a non-volatile write to a NULL
pointer (perhaps it constitutes undefined behaviour?), and recommends
changing it to volatile.
This patch slavishly complies with the demand of the unfeeling machine.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
libxml2 unconditonally defines XMLCALL to nothing. Expat does not
redefine XMLCALL if it is already defined, but if it is not, and we are
building with gcc on i386 (not x86-64), it will define it as 'cdecl'.
Including Expat before libxml thus results in a warning about XMLCALL
being redefined. Luckily we can get around this by just reversing the
include order: cdecl is a no-op on Unix-like systems, so by having
libxml first define XMLCALL to nothing and including Expat afterwards,
we avoid the warning and lose nothing.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Help static analysers by letting them know that once we fail(),
execution will terminally complete.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Found with both ASan leak sanitizer and Valgrind. We were trivially
leaking the enum name for every arg parsed by the scanner which had one.
If libxml-based DTD validation was enabled, we would also leak the DTD
itself, despite diligently freeing the document, context, etc.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.
These tests verify that demarshalling such message gives failure instead
of crash.
v2: Added consts, serialized opcode and size properly, updated style.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Acked-by: Derek Foreman <derek.foreman.samsung@gmail.com>
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the behavior is
undefined everywhere.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
The DIV_ROUNDUP macro would overflow when trying to round values higher
than MAX_UINT32 - (a - 1). The result is 0 after the division. This is
potential security issue when demarshalling an array because the length
check is performed with the overflowed value, but then the original huge
value is stored for later use.
The issue was present only on 32bit platforms. The use of size_t in the
DIV_ROUNDUP macro already promoted everything to 64 bit size on 64 bit
systems.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Style changes by Derek Foreman
Note that Weston uses GitLab MRs for review, not mail.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
The protocol spec used to live here, but it's now part of the regular
doc build. The PNG files are created as part of the doc build. Delete
the pre-generated versions.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
The Expat XML library has shipped a pkg-config file for long enough to
be in Debian's oldstable (Jessie, April 2015) and Ubuntu's oldest
supported LTS (Trusty, 14.04). The pkg-config file was added in Expat
upstream's commit 352cfc8f59a7, in September 2007.
Drop build support for versions of Expat which do not ship a
pkg-config file.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
The check for the execinfo.h header is only advisory; the build will not
fail if it is not present, and set HAVE_EXECINFO_H if it is. The check
was added in commit bc3e020475 ("build: Add declaration checks to check for
required syscall flags") with no obvious use or reasoning.
Remove the no-op check.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
commit d94a8722cb
warned this was coming, back in 2013.
I've seen libraries that have wayland client and server using functions
in the same file. Since struct wl_buffer still exists as an opaque
entity in client code, the vestigial deprecated wl_buffer from the
server include will generate warnings when not building with
WL_HIDE_DEPRECATED.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Acked-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Physical size doesn't always make sense for all outputs. In case
it's not available or not relevant, allow compositors to send zero.
Acked-by: Daniel Stone <daniels@collabora.com>
Acked-by: Jonas Ådahl <jadahl@gmail.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
These should be the conventions we have been using since 1.0, written
down more accurately.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
This is what is generally expected from people who re-send patches,
whether the patches are their own or not.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Half of the ideas came from Daniel but most of them are reworded, the
rest are my thoughts.
Mention compiler warnings specifically, and be more explicit on what
kind of code or bugs or bug fixes are acceptable or not. Clarify commit
scope.
v2: move the "In a patch series" rule to the bottom, reworded.
Cc: Daniel Stone <daniels@collabora.com>
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
This is to avoid fighting around the letter of the guidelines. This is
not a protocol spec.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Nothing on the client side uses it since
9fe75537ad which was just before the 0.99
release.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-By: Markus Ongyerth <wl@ongy.net>
