Imported Debian patch 2:1.15.1-0ubuntu2.6

[deb_xorg-server.git] / debian / patches / xi-dont-copy-too-much.patch

diff --git a/debian/patches/xi-dont-copy-too-much.patch b/debian/patches/xi-dont-copy-too-much.patch
new file mode 100644 (file)
index 0000000..117f7f4
--- /dev/null
+++ b/debian/patches/xi-dont-copy-too-much.patch
@@ -0,0 +1,67 @@
+commit 56929f41e6c4cc1b2d72a33d14b4d993e7b613a3
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Tue Apr 29 16:52:01 2014 +1000
+
+    Xi: don't copy a DeviceEvent into an InternalEvent
+    
+    ==26141== Invalid read of size 8
+    ==26141==    at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
+    
+    An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
+    reads past the allocated boundary. Shouldn't have any real effect since we
+    shouldn't access anything past the DeviceEvent boundary if the event type is
+    correct.
+    
+    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 9c207eb..02530bd 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -1469,7 +1469,7 @@ static void
+ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
+                            InternalEvent *ev)
+ {
+-    InternalEvent motion;
++    DeviceEvent motion;
+ 
+     if (ti->num_listeners) {
+         ClientPtr client;
+@@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
+             ti->listeners[0].type != LISTENER_POINTER_GRAB)
+             return;
+ 
+-        motion = *ev;
+-        motion.any.type = ET_TouchUpdate;
+-        motion.device_event.detail.button = 0;
++        motion = ev->device_event;
++        motion.type = ET_TouchUpdate;
++        motion.detail.button = 0;
+ 
+-        if (!RetrieveTouchDeliveryData(dev, ti, &motion,
++        if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion,
+                                        &ti->listeners[0], &client, &win, &grab,
+                                        &mask))
+             return;
+@@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
+             }
+         }
+ 
+-        DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client,
++        DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client,
+                                   win, grab, mask);
+     }
+     else {
+         InternalEvent button;
+         int converted;
+ 
+-        converted = TouchConvertToPointerEvent(ev, &motion, &button);
++        converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button);
+ 
+         BUG_WARN(converted == 0);
+         if (converted)
+-            ProcessOtherEvent(&motion, dev);
++            ProcessOtherEvent((InternalEvent*)&motion, dev);
+     }
+ }
+