[PATCH] Xi: check for invalid modifiers for XI2 passive grabs
Alan Coopersmith
alan.coopersmith at oracle.com
Thu Feb 20 13:44:14 PST 2014
On 02/19/14 07:35 PM, Peter Hutterer wrote:
> The other values are checked correctly, but if a modifier was outside the
> allowed range, it would go unnoticed and cause a out-of-bounds read error for
> any mask equal or larger than 256. The DetailRec where we store the grab masks
> is only sized to 8 * sizeof(Mask).
>
> Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
> ---
> Xi/exevents.c | 3 ++-
> Xi/xipassivegrab.c | 4 ++++
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/Xi/exevents.c b/Xi/exevents.c
> index 4ed58ee..e9f670e 100644
> --- a/Xi/exevents.c
> +++ b/Xi/exevents.c
> @@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param)
> return BadValue;
> }
>
> - if (param->grabtype != XI2 && (param->modifiers != AnyModifier) &&
> + if (param->modifiers != AnyModifier &&
> + param->modifiers != XIAnyModifier &&
> (param->modifiers & ~AllModifiersMask)) {
> client->errorValue = param->modifiers;
> return BadValue;
> diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
> index 8aba977..700622d 100644
> --- a/Xi/xipassivegrab.c
> +++ b/Xi/xipassivegrab.c
> @@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> uint8_t status = Success;
>
> param.modifiers = *modifiers;
> + ret = CheckGrabValues(client, ¶m);
> + if (ret != Success)
> + goto out;
> +
> switch (stuff->grab_type) {
> case XIGrabtypeButton:
> status = GrabButton(client, dev, mod_dev, stuff->detail,
>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list