[PATCH] xge: Stricter event error checking

Thu Jan 16 19:40:07 PST 2014

From: Nathan Kidd <nkidd at opentext.com>

A malicious X server claiming to not support GE but sending a GE would
SEGV the client  (always a NULL derefrence).  Possible since d1c93500.

(Also guard the EventToWire case so it's harder to shoot yourself in the
foot.)

Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
---
 src/Xge.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/Xge.c b/src/Xge.c
index 1f37e59..412cd18 100644
--- a/src/Xge.c
+++ b/src/Xge.c
@@ -108,15 +108,18 @@ static XExtDisplayInfo *_xgeFindDisplay(Display *dpy)
                                   &xge_extension_hooks,
                                   0 /* no events, see below */,
                                   NULL);
-        /* We don't use an extension opcode, so we have to set the handlers
-         * directly. If GenericEvent would be > 64, the job would be done by
-         * XExtAddDisplay  */
-        XESetWireToEvent (dpy,
-                          GenericEvent,
-                          xge_extension_hooks.wire_to_event);
-        XESetEventToWire (dpy,
-                          GenericEvent,
-                          xge_extension_hooks.event_to_wire);
+        if (dpyinfo && dpyinfo->codes)
+        {
+            /* We don't use an extension opcode, so we have to set the handlers
+             * directly. If GenericEvent would be > 64, the job would be done by
+             * XExtAddDisplay  */
+            XESetWireToEvent (dpy,
+                              GenericEvent,
+                              xge_extension_hooks.wire_to_event);
+            XESetEventToWire (dpy,
+                              GenericEvent,
+                              xge_extension_hooks.event_to_wire);
+        }
     }
     return dpyinfo;
 }
@@ -238,7 +241,7 @@ _xgeWireToEvent(Display* dpy, XEvent* re, xEvent *event)
     int extension;
     XGEExtList it;
     XExtDisplayInfo* info = _xgeFindDisplay(dpy);
-    if (!info)
+    if (!info || !info->data)
         return False;
     /*
        _xgeCheckExtInit() calls LockDisplay, leading to a SIGABRT.
@@ -274,7 +277,7 @@ _xgeEventToWire(Display* dpy, XEvent* re, xEvent* event)
     int extension;
     XGEExtList it;
     XExtDisplayInfo* info = _xgeFindDisplay(dpy);
-    if (!info)
+    if (!info || !info->data)
         return 1; /* error! */
 
     extension = ((XGenericEvent*)re)->extension;
-- 
1.8.3.4

