[PATCH] Xi: check for invalid modifiers for XI2 passive grabs

Alan Coopersmith alan.coopersmith at oracle.com
Thu Feb 20 13:44:14 PST 2014


On 02/19/14 07:35 PM, Peter Hutterer wrote:
> The other values are checked correctly, but if a modifier was outside the
> allowed range, it would go unnoticed and cause a out-of-bounds read error for
> any mask equal or larger than 256. The DetailRec where we store the grab masks
> is only sized to 8 * sizeof(Mask).
>
> Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
> ---
>   Xi/exevents.c      | 3 ++-
>   Xi/xipassivegrab.c | 4 ++++
>   2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/Xi/exevents.c b/Xi/exevents.c
> index 4ed58ee..e9f670e 100644
> --- a/Xi/exevents.c
> +++ b/Xi/exevents.c
> @@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param)
>           return BadValue;
>       }
>
> -    if (param->grabtype != XI2 && (param->modifiers != AnyModifier) &&
> +    if (param->modifiers != AnyModifier &&
> +        param->modifiers != XIAnyModifier &&
>           (param->modifiers & ~AllModifiersMask)) {
>           client->errorValue = param->modifiers;
>           return BadValue;
> diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
> index 8aba977..700622d 100644
> --- a/Xi/xipassivegrab.c
> +++ b/Xi/xipassivegrab.c
> @@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client)
>           uint8_t status = Success;
>
>           param.modifiers = *modifiers;
> +        ret = CheckGrabValues(client, &param);
> +        if (ret != Success)
> +            goto out;
> +
>           switch (stuff->grab_type) {
>           case XIGrabtypeButton:
>               status = GrabButton(client, dev, mod_dev, stuff->detail,
>

Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc


More information about the xorg-devel mailing list