From 389e3a4459e3b61eea3a21aba560122dbca264e6 Mon Sep 17 00:00:00 2001
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 21 Jun 2018 22:08:08 +0200
Subject: ProcGetPointerMapping uses rep.nElts before it is initialized

Backport of this xorg upstream commit (with omitting the mentioned
d792ac125a0462a04a930af543cbc732f8cdab7d).

  commit 34cf559bcf99dad550527b5ff53f247f0e8e73ee
  Author: Keith Packard <keithp@keithp.com>
  Date:   Tue Jul 10 15:58:48 2012 -0700

    ProcGetPointerMapping uses rep.nElts before it is initialized

    In:

            commit d792ac125a0462a04a930af543cbc732f8cdab7d
            Author: Alan Coopersmith <alan.coopersmith@oracle.com>
            Date:   Mon Jul 9 19:12:43 2012 -0700

                Use C99 designated initializers in dix Replies

    the initializer for the .length element of the xGetPointerMappingReply
    structure uses the value of rep.nElts, but that won't be set until
    after this initializer runs, so we get garbage in the length element
    and clients using it will generally wedge.

    Easy to verify:

            $ xmodmap -pp

    Fixed by creating a local nElts variable and using that.

    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/programs/Xserver/dix/devices.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'nx-X11/programs/Xserver')

diff --git a/nx-X11/programs/Xserver/dix/devices.c b/nx-X11/programs/Xserver/dix/devices.c
index d31ff8224..51cf3fef9 100644
--- a/nx-X11/programs/Xserver/dix/devices.c
+++ b/nx-X11/programs/Xserver/dix/devices.c
@@ -1156,17 +1156,20 @@ ProcGetKeyboardMapping(ClientPtr client)
 int
 ProcGetPointerMapping(ClientPtr client)
 {
+    int nElts;
     xGetPointerMappingReply rep = {0};
 
     ButtonClassPtr butc = inputInfo.pointer->button;
 
+    nElts = (butc) ? butc->numButtons : 0;
     REQUEST_SIZE_MATCH(xReq);
     rep.type = X_Reply;
+    rep.nElts = nElts;
     rep.sequenceNumber = client->sequence;
-    rep.nElts = butc->numButtons;
-    rep.length = ((unsigned)rep.nElts + (4-1))/4;
+    rep.length = ((unsigned)nElts + (4-1))/4;
     WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
-    WriteToClient(client, (int)rep.nElts, &butc->map[1]);
+    if (butc)
+        WriteToClient(client, nElts, &butc->map[1]);
     return Success;
 }
 
-- 
cgit v1.2.3