[deb_xorg-server.git] / debian / patches / xi-dont-copy-too-much.patch

commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Apr 29 16:52:01 2014 +1000

    Xi: don't copy a DeviceEvent into an InternalEvent
    
    ==26141== Invalid read of size 8
    ==26141==    at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
    
    An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
    reads past the allocated boundary. Shouldn't have any real effect since we
    shouldn't access anything past the DeviceEvent boundary if the event type is
    correct.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

diff --git a/Xi/exevents.c b/Xi/exevents.c
index 9c207eb..02530bd 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -1469,7 +1469,7 @@ static void
 DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
                            InternalEvent *ev)
 {
-    InternalEvent motion;
+    DeviceEvent motion;
 
     if (ti->num_listeners) {
         ClientPtr client;
@@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
             ti->listeners[0].type != LISTENER_POINTER_GRAB)
             return;
 
-        motion = *ev;
-        motion.any.type = ET_TouchUpdate;
-        motion.device_event.detail.button = 0;
+        motion = ev->device_event;
+        motion.type = ET_TouchUpdate;
+        motion.detail.button = 0;
 
-        if (!RetrieveTouchDeliveryData(dev, ti, &motion,
+        if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
                                        &ti->listeners[0], &client, &win, &grab,
                                        &mask))
             return;
@@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
             }
         }
 
-        DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
+        DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
                                   win, grab, mask);
     }
     else {
         InternalEvent button;
         int converted;
 
-        converted = TouchConvertToPointerEvent(ev, &motion, &button);
+        converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
 
         BUG_WARN(converted == 0);
         if (converted)
-            ProcessOtherEvent(&motion, dev);
+            ProcessOtherEvent((InternalEvent*)&motion, dev);
     }
 }
Commit	Line	Data
7217e0ca ML	1	commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
	2	Author: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue Apr 29 16:52:01 2014 +1000
	4
	5	Xi: don't copy a DeviceEvent into an InternalEvent
	6
	7	==26141== Invalid read of size 8
	8	==26141== at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
	9
	10	An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
	11	reads past the allocated boundary. Shouldn't have any real effect since we
	12	shouldn't access anything past the DeviceEvent boundary if the event type is
	13	correct.
	14
	15	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	16
	17	diff --git a/Xi/exevents.c b/Xi/exevents.c
	18	index 9c207eb..02530bd 100644
	19	--- a/Xi/exevents.c
	20	+++ b/Xi/exevents.c
	21	@@ -1469,7 +1469,7 @@ static void
	22	DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
	23	InternalEvent *ev)
	24	{
	25	- InternalEvent motion;
	26	+ DeviceEvent motion;
	27
	28	if (ti->num_listeners) {
	29	ClientPtr client;
	30	@@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
	31	ti->listeners[0].type != LISTENER_POINTER_GRAB)
	32	return;
	33
	34	- motion = *ev;
	35	- motion.any.type = ET_TouchUpdate;
	36	- motion.device_event.detail.button = 0;
	37	+ motion = ev->device_event;
	38	+ motion.type = ET_TouchUpdate;
	39	+ motion.detail.button = 0;
	40
	41	- if (!RetrieveTouchDeliveryData(dev, ti, &motion,
	42	+ if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
	43	&ti->listeners[0], &client, &win, &grab,
	44	&mask))
	45	return;
	46	@@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
	47	}
	48	}
	49
	50	- DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
	51	+ DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
	52	win, grab, mask);
	53	}
	54	else {
	55	InternalEvent button;
	56	int converted;
	57
	58	- converted = TouchConvertToPointerEvent(ev, &motion, &button);
	59	+ converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
	60
	61	BUG_WARN(converted == 0);
	62	if (converted)
	63	- ProcessOtherEvent(&motion, dev);
	64	+ ProcessOtherEvent((InternalEvent*)&motion, dev);
65	}
66	}
67