1 commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
2 Author: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Tue Apr 29 16:52:01 2014 +1000
5 Xi: don't copy a DeviceEvent into an InternalEvent
7 ==26141== Invalid read of size 8
8 ==26141== at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
10 An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
11 reads past the allocated boundary. Shouldn't have any real effect since we
12 shouldn't access anything past the DeviceEvent boundary if the event type is
15 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
17 diff --git a/Xi/exevents.c b/Xi/exevents.c
18 index 9c207eb..02530bd 100644
21 @@ -1469,7 +1469,7 @@ static void
22 DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
25 - InternalEvent motion;
28 if (ti->num_listeners) {
30 @@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
31 ti->listeners[0].type != LISTENER_POINTER_GRAB)
35 - motion.any.type = ET_TouchUpdate;
36 - motion.device_event.detail.button = 0;
37 + motion = ev->device_event;
38 + motion.type = ET_TouchUpdate;
39 + motion.detail.button = 0;
41 - if (!RetrieveTouchDeliveryData(dev, ti, &motion,
42 + if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
43 &ti->listeners[0], &client, &win, &grab,
46 @@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
50 - DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
51 + DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
58 - converted = TouchConvertToPointerEvent(ev, &motion, &button);
59 + converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
61 BUG_WARN(converted == 0);
63 - ProcessOtherEvent(&motion, dev);
64 + ProcessOtherEvent((InternalEvent*)&motion, dev);