xserver: Branch 'master'
Keith Packard
keithp at kemper.freedesktop.org
Tue Jul 10 23:07:26 PDT 2012
dix/devices.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
New commits:
commit 34cf559bcf99dad550527b5ff53f247f0e8e73ee
Author: Keith Packard <keithp at keithp.com>
Date: Tue Jul 10 15:58:48 2012 -0700
ProcGetPointerMapping uses rep.nElts before it is initialized
In:
commit d792ac125a0462a04a930af543cbc732f8cdab7d
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Jul 9 19:12:43 2012 -0700
Use C99 designated initializers in dix Replies
the initializer for the .length element of the xGetPointerMappingReply
structure uses the value of rep.nElts, but that won't be set until
after this initializer runs, so we get garbage in the length element
and clients using it will generally wedge.
Easy to verify:
$ xmodmap -pp
Fixed by creating a local nElts variable and using that.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/dix/devices.c b/dix/devices.c
index 839de35..207b78b 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1890,6 +1890,7 @@ ProcGetPointerMapping(ClientPtr client)
* the ClientPointer could change. */
DeviceIntPtr ptr = PickPointer(client);
ButtonClassPtr butc = ptr->button;
+ int nElts;
int rc;
REQUEST_SIZE_MATCH(xReq);
@@ -1898,15 +1899,16 @@ ProcGetPointerMapping(ClientPtr client)
if (rc != Success)
return rc;
+ nElts = (butc) ? butc->numButtons : 0;
rep = (xGetPointerMappingReply) {
.type = X_Reply,
- .nElts = (butc) ? butc->numButtons : 0,
+ .nElts = nElts,
.sequenceNumber = client->sequence,
- .length = ((unsigned) rep.nElts + (4 - 1)) / 4
+ .length = ((unsigned) nElts + (4 - 1)) / 4
};
WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
if (butc)
- WriteToClient(client, (int) rep.nElts, &butc->map[1]);
+ WriteToClient(client, nElts, &butc->map[1]);
return Success;
}
More information about the xorg-commit
mailing list