ProcGetPointerMapping uses rep.nElts before it is initialized
In:
commit d792ac125a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon Jul 9 19:12:43 2012 -0700
Use C99 designated initializers in dix Replies
the initializer for the .length element of the xGetPointerMappingReply
structure uses the value of rep.nElts, but that won't be set until
after this initializer runs, so we get garbage in the length element
and clients using it will generally wedge.
Easy to verify:
$ xmodmap -pp
Fixed by creating a local nElts variable and using that.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
44bd27cdd1
commit
34cf559bcf
|
@ -1890,6 +1890,7 @@ ProcGetPointerMapping(ClientPtr client)
|
||||||
* the ClientPointer could change. */
|
* the ClientPointer could change. */
|
||||||
DeviceIntPtr ptr = PickPointer(client);
|
DeviceIntPtr ptr = PickPointer(client);
|
||||||
ButtonClassPtr butc = ptr->button;
|
ButtonClassPtr butc = ptr->button;
|
||||||
|
int nElts;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
REQUEST_SIZE_MATCH(xReq);
|
REQUEST_SIZE_MATCH(xReq);
|
||||||
|
@ -1898,15 +1899,16 @@ ProcGetPointerMapping(ClientPtr client)
|
||||||
if (rc != Success)
|
if (rc != Success)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
|
nElts = (butc) ? butc->numButtons : 0;
|
||||||
rep = (xGetPointerMappingReply) {
|
rep = (xGetPointerMappingReply) {
|
||||||
.type = X_Reply,
|
.type = X_Reply,
|
||||||
.nElts = (butc) ? butc->numButtons : 0,
|
.nElts = nElts,
|
||||||
.sequenceNumber = client->sequence,
|
.sequenceNumber = client->sequence,
|
||||||
.length = ((unsigned) rep.nElts + (4 - 1)) / 4
|
.length = ((unsigned) nElts + (4 - 1)) / 4
|
||||||
};
|
};
|
||||||
WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
|
WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
|
||||||
if (butc)
|
if (butc)
|
||||||
WriteToClient(client, (int) rep.nElts, &butc->map[1]);
|
WriteToClient(client, nElts, &butc->map[1]);
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user