| 1 | commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3 |
| 2 | Author: Peter Hutterer <peter.hutterer@who-t.net> |
| 3 | Date: Tue Apr 29 16:52:01 2014 +1000 |
| 4 | |
| 5 | Xi: don't copy a DeviceEvent into an InternalEvent |
| 6 | |
| 7 | ==26141== Invalid read of size 8 |
| 8 | ==26141== at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484) |
| 9 | |
| 10 | An InternalEvent is bigger than a DeviceEvent, thus copying one to the other |
| 11 | reads past the allocated boundary. Shouldn't have any real effect since we |
| 12 | shouldn't access anything past the DeviceEvent boundary if the event type is |
| 13 | correct. |
| 14 | |
| 15 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 16 | |
| 17 | --- a/Xi/exevents.c |
| 18 | +++ b/Xi/exevents.c |
| 19 | @@ -1469,7 +1469,7 @@ static void |
| 20 | DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti, |
| 21 | InternalEvent *ev) |
| 22 | { |
| 23 | - InternalEvent motion; |
| 24 | + DeviceEvent motion; |
| 25 | |
| 26 | if (ti->num_listeners) { |
| 27 | ClientPtr client; |
| 28 | @@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr |
| 29 | ti->listeners[0].type != LISTENER_POINTER_GRAB) |
| 30 | return; |
| 31 | |
| 32 | - motion = *ev; |
| 33 | - motion.any.type = ET_TouchUpdate; |
| 34 | - motion.device_event.detail.button = 0; |
| 35 | + motion = ev->device_event; |
| 36 | + motion.type = ET_TouchUpdate; |
| 37 | + motion.detail.button = 0; |
| 38 | |
| 39 | - if (!RetrieveTouchDeliveryData(dev, ti, &motion, |
| 40 | + if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion, |
| 41 | &ti->listeners[0], &client, &win, &grab, |
| 42 | &mask)) |
| 43 | return; |
| 44 | @@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr |
| 45 | } |
| 46 | } |
| 47 | |
| 48 | - DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client, |
| 49 | + DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client, |
| 50 | win, grab, mask); |
| 51 | } |
| 52 | else { |
| 53 | InternalEvent button; |
| 54 | int converted; |
| 55 | |
| 56 | - converted = TouchConvertToPointerEvent(ev, &motion, &button); |
| 57 | + converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button); |
| 58 | |
| 59 | BUG_WARN(converted == 0); |
| 60 | if (converted) |
| 61 | - ProcessOtherEvent(&motion, dev); |
| 62 | + ProcessOtherEvent((InternalEvent*)&motion, dev); |
| 63 | } |
| 64 | } |
| 65 | |