xserver: Branch 'master'

Wed Dec 6 17:00:40 UTC 2017

dix/devices.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit 9f7a9be13d6449c00c86d3035374f4f543654b3f
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Tue Dec 5 09:59:06 2017 +0100

    dix: avoid deferencing NULL PtrCtrl
    
    PtrCtrl really makes sense for relative pointing device only, absolute
    devices such as touch devices do not have any PtrCtrl set.
    
    In some cases, if the client issues a XGetPointerControl() immediatlely
    after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
    a NULL pointer dereference will occur leading to a crash of Xwayland.
    
    Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
    return the default control values otherwise, to avoid the NULL pointer
    dereference.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>

diff --git a/dix/devices.c b/dix/devices.c
index ea3c6c8a9..4a628afb0 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2329,10 +2329,15 @@ int
 ProcGetPointerControl(ClientPtr client)
 {
     DeviceIntPtr ptr = PickPointer(client);
-    PtrCtrl *ctrl = &ptr->ptrfeed->ctrl;
+    PtrCtrl *ctrl;
     xGetPointerControlReply rep;
     int rc;
 
+    if (ptr->ptrfeed)
+        ctrl = &ptr->ptrfeed->ctrl;
+    else
+        ctrl = &defaultPointerControl;
+
     REQUEST_SIZE_MATCH(xReq);
 
     rc = XaceHook(XACE_DEVICE_ACCESS, client, ptr, DixGetAttrAccess);
