Xi: don't overrun memory for grab masks.

A grab mask provided in the request may be larger than the one used in the server. Cut down to size before memcopying. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2009-09-01 16:30:52 +10:00 · 2009-09-01 16:30:52 +10:00 · 59a6d7d478
commit 59a6d7d478
parent 83db2b126e
2 changed files with 6 additions and 2 deletions
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@ -66,6 +66,7 @@ ProcXIGrabDevice(ClientPtr client)
    int ret = Success;
    uint8_t status;
    GrabMask mask;
+    int mask_len;

    REQUEST(xXIGrabDeviceReq);
    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
@ -77,8 +78,9 @@ ProcXIGrabDevice(ClientPtr client)
    if (!IsMaster(dev))
        stuff->paired_device_mode = GrabModeAsync;

+    mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
    memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
-    memcpy(mask.xi2mask, (char*)&stuff[1], stuff->mask_len * 4);
+    memcpy(mask.xi2mask, (char*)&stuff[1], mask_len);

    ret = GrabDevice(client, dev, stuff->grab_mode,
                     stuff->paired_device_mode,
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@ -86,6 +86,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
    GrabMask mask;
    GrabParameters param;
    void *tmp;
+    int mask_len;

    REQUEST(xXIPassiveGrabDeviceReq);
    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
@ -127,8 +128,9 @@ ProcXIPassiveGrabDevice(ClientPtr client)
        }
    }

+    mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
    memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
-    memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], stuff->mask_len * 4);
+    memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], mask_len * 4);

    rep.repType = X_Reply;
    rep.RepType = X_XIPassiveGrabDevice;