<div dir="ltr"><div>Yeah, this is how I would write it.<br><br></div>Can you provide a patch, Alan?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 4, 2013 at 2:30 AM, Alan Coopersmith <span dir="ltr"><<a href="mailto:alan.coopersmith@oracle.com" target="_blank">alan.coopersmith@oracle.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 09/ 3/13 11:05 PM, Peter Hutterer wrote:<br>
>> From 8057fc810fb2815ea4c069ac9c1bc77709afb778 Mon Sep 17 00:00:00 2001<br>
>> From: Thomas Klausner <wiz@NetBSD.org><br>
>> Date: Tue, 3 Sep 2013 09:44:18 +0200<br>
>> Subject: [PATCH:xserver] Fix bug in cursor handling.<br>
>><br>
>> CreateCursor (Xlib call XCreatePixmapCursor) with a non-bitmap<br>
>> source pixmap and a None mask is supposed to error out with BadMatch,<br>
>> but didn't.<br>
>><br>
>> From der Mouse <mouse@Rodents-Montreal.ORG><br>
>><br>
>> Signed-off-by: Thomas Klausner <wiz@NetBSD.org><br>
>> ---<br>
>> dix/dispatch.c | 5 ++++-<br>
>> 1 file changed, 4 insertions(+), 1 deletion(-)<br>
>><br>
>> diff --git a/dix/dispatch.c b/dix/dispatch.c<br>
>> index 51d0de2..ae3b97b 100644<br>
>> --- a/dix/dispatch.c<br>
>> +++ b/dix/dispatch.c<br>
>> @@ -2874,9 +2874,12 @@ ProcCreateCursor(ClientPtr client)<br>
>> }<br>
>> else if (src->drawable.width != msk->drawable.width<br>
>> || src->drawable.height != msk->drawable.height<br>
>> - || src->drawable.depth != 1 || msk->drawable.depth != 1)<br>
>> + || msk->drawable.depth != 1)<br>
>> return BadMatch;<br>
>><br>
>> + if (src->drawable.depth != 1)<br>
>> + return (BadMatch);<br>
>> +<br>
><br>
> I'm staring hard at this and struggling to see the change. The previous code<br>
> already returned BadMatch for a src depth of != 1.<br>
<br>
</div></div>I couldn't see it from the patch either, but a little more context than the patch<br>
includes helps:<br>
<br>
2867 rc = dixLookupResourceByType((pointer *) &msk, stuff->mask, RT_PIXMAP,<br>
2868 client, DixReadAccess);<br>
2869 if (rc != Success) {<br>
2870 if (stuff->mask != None) {<br>
2871 client->errorValue = stuff->mask;<br>
2872 return rc;<br>
2873 }<br>
2874 }<br>
2875 else if (src->drawable.width != msk->drawable.width<br>
2876 || src->drawable.height != msk->drawable.height<br>
2877 || src->drawable.depth != 1 || msk->drawable.depth != 1)<br>
2878 return BadMatch;<br>
<br>
So if stuff->mask is None, we do a resource lookup for a pixmap with that id,<br>
which should fail, since it's None (aka 0).<br>
<br>
Thus we gp into the check at 2869, but don't match the if at 2870, so don't<br>
return. Since 2875 is the else clause for the if we already went into, we<br>
skip over all those checks.<br>
<br>
The patch moves the src->drawable.depth check out of the else clause so it's<br>
always checked, not just in the (rc == Success) case for the mask pixmap lookup.<br>
It could even be moved up above the lookup of the mask pixmap, since it only<br>
checks against the cursor image pixmap.<br>
<br>
I'm not sure if there's ever a reason to try to lookup a mask id of None,<br>
otherwise this might be easier to follow as:<br>
<br>
/* Find and validate cursor image pixmap */<br>
rc = dixLookupResourceByType((pointer *) &src, stuff->source, RT_PIXMAP,<br>
client, DixReadAccess);<br>
if (rc != Success) {<br>
client->errorValue = stuff->source;<br>
return rc;<br>
<div class="im"> }<br>
<br>
if (src->drawable.depth != 1)<br>
</div> return (BadMatch);<br>
<br>
/* Find and validate cursor mask pixmap, if one is provided */<br>
if (stuff->mask != None) {<br>
rc = dixLookupResourceByType((pointer *) &msk, stuff->mask, RT_PIXMAP,<br>
client, DixReadAccess);<br>
if (rc != Success) {<br>
client->errorValue = stuff->mask;<br>
return rc;<br>
<div class="im"> }<br>
<br>
if (src->drawable.width != msk->drawable.width<br>
|| src->drawable.height != msk->drawable.height<br>
</div><div class="im"> || msk->drawable.depth != 1)<br>
return BadMatch;<br>
}<br>
</div> else<br>
msk = NULL;<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
-Alan Coopersmith- <a href="mailto:alan.coopersmith@oracle.com">alan.coopersmith@oracle.com</a><br>
Oracle Solaris Engineering - <a href="http://blogs.oracle.com/alanc" target="_blank">http://blogs.oracle.com/alanc</a><br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
<a href="mailto:xorg-devel@lists.x.org">xorg-devel@lists.x.org</a>: X.Org development<br>
Archives: <a href="http://lists.x.org/archives/xorg-devel" target="_blank">http://lists.x.org/archives/xorg-devel</a><br>
Info: <a href="http://lists.x.org/mailman/listinfo/xorg-devel" target="_blank">http://lists.x.org/mailman/listinfo/xorg-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br> Jasper<br>
</div>