diff options
author | Ulrich Sibiller <uli42@gmx.de> | 2018-06-21 22:08:08 +0200 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2018-07-03 16:13:43 +0200 |
commit | 389e3a4459e3b61eea3a21aba560122dbca264e6 (patch) | |
tree | eab2b2016e5edf8d042e0961a1354a3f18d0b75c | |
parent | 1e3db85a026338e5a56de9f75bddeff283ba24fb (diff) | |
download | nx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.tar.gz nx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.tar.bz2 nx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.zip |
ProcGetPointerMapping uses rep.nElts before it is initialized
Backport of this xorg upstream commit (with omitting the mentioned
d792ac125a0462a04a930af543cbc732f8cdab7d).
commit 34cf559bcf99dad550527b5ff53f247f0e8e73ee
Author: Keith Packard <keithp@keithp.com>
Date: Tue Jul 10 15:58:48 2012 -0700
ProcGetPointerMapping uses rep.nElts before it is initialized
In:
commit d792ac125a0462a04a930af543cbc732f8cdab7d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon Jul 9 19:12:43 2012 -0700
Use C99 designated initializers in dix Replies
the initializer for the .length element of the xGetPointerMappingReply
structure uses the value of rep.nElts, but that won't be set until
after this initializer runs, so we get garbage in the length element
and clients using it will generally wedge.
Easy to verify:
$ xmodmap -pp
Fixed by creating a local nElts variable and using that.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/programs/Xserver/dix/devices.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/dix/devices.c b/nx-X11/programs/Xserver/dix/devices.c index d31ff8224..51cf3fef9 100644 --- a/nx-X11/programs/Xserver/dix/devices.c +++ b/nx-X11/programs/Xserver/dix/devices.c @@ -1156,17 +1156,20 @@ ProcGetKeyboardMapping(ClientPtr client) int ProcGetPointerMapping(ClientPtr client) { + int nElts; xGetPointerMappingReply rep = {0}; ButtonClassPtr butc = inputInfo.pointer->button; + nElts = (butc) ? butc->numButtons : 0; REQUEST_SIZE_MATCH(xReq); rep.type = X_Reply; + rep.nElts = nElts; rep.sequenceNumber = client->sequence; - rep.nElts = butc->numButtons; - rep.length = ((unsigned)rep.nElts + (4-1))/4; + rep.length = ((unsigned)nElts + (4-1))/4; WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep); - WriteToClient(client, (int)rep.nElts, &butc->map[1]); + if (butc) + WriteToClient(client, nElts, &butc->map[1]); return Success; } |