From 34cf559bcf99dad550527b5ff53f247f0e8e73ee Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 10 Jul 2012 15:58:48 -0700
Subject: [PATCH] ProcGetPointerMapping uses rep.nElts before it is initialized

In:

	commit d792ac125a0462a04a930af543cbc732f8cdab7d
	Author: Alan Coopersmith <alan.coopersmith@oracle.com>
	Date:   Mon Jul 9 19:12:43 2012 -0700

	    Use C99 designated initializers in dix Replies

the initializer for the .length element of the xGetPointerMappingReply
structure uses the value of rep.nElts, but that won't be set until
after this initializer runs, so we get garbage in the length element
and clients using it will generally wedge.

Easy to verify:

	$ xmodmap -pp

Fixed by creating a local nElts variable and using that.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 dix/devices.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/dix/devices.c b/dix/devices.c
index 839de35aa..207b78b87 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1890,6 +1890,7 @@ ProcGetPointerMapping(ClientPtr client)
      * the ClientPointer could change. */
     DeviceIntPtr ptr = PickPointer(client);
     ButtonClassPtr butc = ptr->button;
+    int nElts;
     int rc;
 
     REQUEST_SIZE_MATCH(xReq);
@@ -1898,15 +1899,16 @@ ProcGetPointerMapping(ClientPtr client)
     if (rc != Success)
         return rc;
 
+    nElts = (butc) ? butc->numButtons : 0;
     rep = (xGetPointerMappingReply) {
         .type = X_Reply,
-        .nElts = (butc) ? butc->numButtons : 0,
+        .nElts = nElts,
         .sequenceNumber = client->sequence,
-        .length = ((unsigned) rep.nElts + (4 - 1)) / 4
+        .length = ((unsigned) nElts + (4 - 1)) / 4
     };
     WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
     if (butc)
-        WriteToClient(client, (int) rep.nElts, &butc->map[1]);
+        WriteToClient(client, nElts, &butc->map[1]);
     return Success;
 }