[PATCH] ProcGetPointerMapping uses rep.nElts before it is initialized
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Jul 10 17:06:57 PDT 2012
On 07/10/12 04:03 PM, Keith Packard wrote:
> In:
>
> commit d792ac125a0462a04a930af543cbc732f8cdab7d
> Author: Alan Coopersmith <alan.coopersmith at oracle.com>
> Date: Mon Jul 9 19:12:43 2012 -0700
>
> Use C99 designated initializers in dix Replies
>
> the initializer for the .length element of the xGetPointerMappingReply
> structure uses the value of rep.nElts, but that won't be set until
> after this initializer runs, so we get garbage in the length element
> and clients using it will generally wedge.
>
> Easy to verify:
>
> $ xmodmap -pp
>
> Fixed by creating a local nElts variable and using that.
>
> Signed-off-by: Keith Packard <keithp at keithp.com>
> ---
> dix/devices.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/dix/devices.c b/dix/devices.c
> index 839de35..207b78b 100644
> --- a/dix/devices.c
> +++ b/dix/devices.c
> @@ -1890,6 +1890,7 @@ ProcGetPointerMapping(ClientPtr client)
> * the ClientPointer could change. */
> DeviceIntPtr ptr = PickPointer(client);
> ButtonClassPtr butc = ptr->button;
> + int nElts;
> int rc;
>
> REQUEST_SIZE_MATCH(xReq);
> @@ -1898,15 +1899,16 @@ ProcGetPointerMapping(ClientPtr client)
> if (rc != Success)
> return rc;
>
> + nElts = (butc) ? butc->numButtons : 0;
> rep = (xGetPointerMappingReply) {
> .type = X_Reply,
> - .nElts = (butc) ? butc->numButtons : 0,
> + .nElts = nElts,
> .sequenceNumber = client->sequence,
> - .length = ((unsigned) rep.nElts + (4 - 1)) / 4
> + .length = ((unsigned) nElts + (4 - 1)) / 4
> };
> WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
> if (butc)
> - WriteToClient(client, (int) rep.nElts, &butc->map[1]);
> + WriteToClient(client, nElts, &butc->map[1]);
> return Success;
> }
>
Oops, sorry about missing that one.
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list