aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Sibiller <uli42@gmx.de>2018-06-21 22:08:08 +0200
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2018-07-03 16:13:43 +0200
commit389e3a4459e3b61eea3a21aba560122dbca264e6 (patch)
treeeab2b2016e5edf8d042e0961a1354a3f18d0b75c
parent1e3db85a026338e5a56de9f75bddeff283ba24fb (diff)
downloadnx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.tar.gz
nx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.tar.bz2
nx-libs-389e3a4459e3b61eea3a21aba560122dbca264e6.zip
ProcGetPointerMapping uses rep.nElts before it is initialized
Backport of this xorg upstream commit (with omitting the mentioned d792ac125a0462a04a930af543cbc732f8cdab7d). commit 34cf559bcf99dad550527b5ff53f247f0e8e73ee Author: Keith Packard <keithp@keithp.com> Date: Tue Jul 10 15:58:48 2012 -0700 ProcGetPointerMapping uses rep.nElts before it is initialized In: commit d792ac125a0462a04a930af543cbc732f8cdab7d Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Mon Jul 9 19:12:43 2012 -0700 Use C99 designated initializers in dix Replies the initializer for the .length element of the xGetPointerMappingReply structure uses the value of rep.nElts, but that won't be set until after this initializer runs, so we get garbage in the length element and clients using it will generally wedge. Easy to verify: $ xmodmap -pp Fixed by creating a local nElts variable and using that. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/programs/Xserver/dix/devices.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/dix/devices.c b/nx-X11/programs/Xserver/dix/devices.c
index d31ff8224..51cf3fef9 100644
--- a/nx-X11/programs/Xserver/dix/devices.c
+++ b/nx-X11/programs/Xserver/dix/devices.c
@@ -1156,17 +1156,20 @@ ProcGetKeyboardMapping(ClientPtr client)
int
ProcGetPointerMapping(ClientPtr client)
{
+ int nElts;
xGetPointerMappingReply rep = {0};
ButtonClassPtr butc = inputInfo.pointer->button;
+ nElts = (butc) ? butc->numButtons : 0;
REQUEST_SIZE_MATCH(xReq);
rep.type = X_Reply;
+ rep.nElts = nElts;
rep.sequenceNumber = client->sequence;
- rep.nElts = butc->numButtons;
- rep.length = ((unsigned)rep.nElts + (4-1))/4;
+ rep.length = ((unsigned)nElts + (4-1))/4;
WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
- WriteToClient(client, (int)rep.nElts, &butc->map[1]);
+ if (butc)
+ WriteToClient(client, nElts, &butc->map[1]);
return Success;
}