[deb_xorg-server.git] / debian / patches / xi-dont-copy-too-much.patch

commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Apr 29 16:52:01 2014 +1000

    Xi: don't copy a DeviceEvent into an InternalEvent
    
    ==26141== Invalid read of size 8
    ==26141==    at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
    
    An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
    reads past the allocated boundary. Shouldn't have any real effect since we
    shouldn't access anything past the DeviceEvent boundary if the event type is
    correct.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -1469,7 +1469,7 @@ static void
 DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
                            InternalEvent *ev)
 {
-    InternalEvent motion;
+    DeviceEvent motion;
 
     if (ti->num_listeners) {
         ClientPtr client;
@@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr
             ti->listeners[0].type != LISTENER_POINTER_GRAB)
             return;
 
-        motion = *ev;
-        motion.any.type = ET_TouchUpdate;
-        motion.device_event.detail.button = 0;
+        motion = ev->device_event;
+        motion.type = ET_TouchUpdate;
+        motion.detail.button = 0;
 
-        if (!RetrieveTouchDeliveryData(dev, ti, &motion,
+        if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
                                        &ti->listeners[0], &client, &win, &grab,
                                        &mask))
             return;
@@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr
             }
         }
 
-        DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
+        DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
                                   win, grab, mask);
     }
     else {
         InternalEvent button;
         int converted;
 
-        converted = TouchConvertToPointerEvent(ev, &motion, &button);
+        converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
 
         BUG_WARN(converted == 0);
         if (converted)
-            ProcessOtherEvent(&motion, dev);
+            ProcessOtherEvent((InternalEvent*)&motion, dev);
     }
 }
Commit	Line	Data
7217e0ca ML	1	commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
	2	Author: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue Apr 29 16:52:01 2014 +1000
	4
	5	Xi: don't copy a DeviceEvent into an InternalEvent
	6
	7	==26141== Invalid read of size 8
	8	==26141== at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
	9
	10	An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
	11	reads past the allocated boundary. Shouldn't have any real effect since we
	12	shouldn't access anything past the DeviceEvent boundary if the event type is
	13	correct.
	14
	15	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	16
7217e0ca ML	17	--- a/Xi/exevents.c
	18	+++ b/Xi/exevents.c
	19	@@ -1469,7 +1469,7 @@ static void
	20	DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
	21	InternalEvent *ev)
	22	{
	23	- InternalEvent motion;
	24	+ DeviceEvent motion;
	25
	26	if (ti->num_listeners) {
	27	ClientPtr client;
4db25562	28	@@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr
7217e0ca ML	29	ti->listeners[0].type != LISTENER_POINTER_GRAB)
	30	return;
	31
	32	- motion = *ev;
	33	- motion.any.type = ET_TouchUpdate;
	34	- motion.device_event.detail.button = 0;
	35	+ motion = ev->device_event;
	36	+ motion.type = ET_TouchUpdate;
	37	+ motion.detail.button = 0;
	38
	39	- if (!RetrieveTouchDeliveryData(dev, ti, &motion,
	40	+ if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
	41	&ti->listeners[0], &client, &win, &grab,
	42	&mask))
	43	return;
4db25562	44	@@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr
7217e0ca ML	45	}
	46	}
	47
	48	- DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
	49	+ DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
	50	win, grab, mask);
	51	}
	52	else {
	53	InternalEvent button;
	54	int converted;
	55
	56	- converted = TouchConvertToPointerEvent(ev, &motion, &button);
	57	+ converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
	58
	59	BUG_WARN(converted == 0);
	60	if (converted)
	61	- ProcessOtherEvent(&motion, dev);
	62	+ ProcessOtherEvent((InternalEvent*)&motion, dev);
	63	}
	64	}
	65