xserver: Branch 'server-1.9-branch'

Mon Jan 24 22:22:17 PST 2011

dix/getevents.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

New commits:
commit 188148e1cc1cdecc7731a4251a9ecb9dd73e6241
Author: Oliver McFadden <oliver.mcfadden at nokia.com>
Date:   Mon Jan 24 22:03:30 2011 +0200

    dix: GetPointerEvents: added valuator range checking
    
    Button events may be sent with no valuators (e.g. to simply indicate
    ButtonPress or ButtonRelease without any coordinates); when this happens
    the server would read uninitialized memory.
    
    ==9999== Conditional jump or move depends on uninitialised value(s)
    ==9999==    at 0x48E87E8: pixman_f_transform_point (in /usr/lib/libpixman-1.so.0.18.2)
    ==9999==  Uninitialised value was created by a stack allocation
    ==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)
    ==9999==
    ==9999== Conditional jump or move depends on uninitialised value(s)
    ==9999==    at 0x496D074: lround (s_lround.c:40)
    ==9999==    by 0x3773B: GetPointerEvents (getevents.c:1048)
    ==9999==    by 0x683BB: xf86PostButtonEventP (xf86Xinput.c:1162)
    ==9999==    by 0x6853B: xf86PostButtonEvent (xf86Xinput.c:1126)
    ==9999==    by 0x5779037: process_state (multitouch.c:321)      (xf86-input-mtev)
    ==9999==    by 0x577908F: read_input (multitouch.c:331))        (xf86-input-mtev)
    ==9999==    by 0x66B4F: xf86SigioReadInput (xf86Events.c:298)
    ==9999==    by 0x112697: xf86SIGIO (sigio.c:118)
    ==9999==    by 0x4A12B2F: ??? (sigrestorer.S:51)
    ==9999==  Uninitialised value was created by a stack allocation
    ==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)
    
    Signed-off-by: Oliver McFadden <oliver.mcfadden at nokia.com>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>

diff --git a/dix/getevents.c b/dix/getevents.c
index 8c64f1d..c44abdc 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1034,19 +1034,21 @@ FreeEventList(EventListPtr list, int num_events)
 }
 
 static void
-transformAbsolute(DeviceIntPtr dev, int v[MAX_VALUATORS])
+transformAbsolute(DeviceIntPtr dev, int first, int num, int *valuators)
 {
-    struct pixman_f_vector p;
+    struct pixman_f_vector p = { .v = {0.0, 0.0, 1.0} };
 
     /* p' = M * p in homogeneous coordinates */
-    p.v[0] = v[0];
-    p.v[1] = v[1];
-    p.v[2] = 1.0;
+    if (num >= 1 && first == 0)
+        p.v[0] = *(valuators + 0);
+
+    if (first <= 1 && num >= (2 - first))
+        p.v[1] = *(valuators + 1 - first);
 
     pixman_f_transform_point(&dev->transform, &p);
 
-    v[0] = lround(p.v[0]);
-    v[1] = lround(p.v[1]);
+    valuators[0] = lround(p.v[0]);
+    valuators[1] = lround(p.v[1]);
 }
 
 /**
@@ -1124,7 +1126,7 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
                         scr->height);
         }
 
-        transformAbsolute(pDev, valuators);
+        transformAbsolute(pDev, first_valuator, num_valuators, valuators);
         moveAbsolute(pDev, &x, &y, first_valuator, num_valuators, valuators);
     } else {
         if (flags & POINTER_ACCELERATE) {
