Xi: don't overrun memory for grab masks.
A grab mask provided in the request may be larger than the one used in the server. Cut down to size before memcopying. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
parent
83db2b126e
commit
59a6d7d478
|
@ -66,6 +66,7 @@ ProcXIGrabDevice(ClientPtr client)
|
|||
int ret = Success;
|
||||
uint8_t status;
|
||||
GrabMask mask;
|
||||
int mask_len;
|
||||
|
||||
REQUEST(xXIGrabDeviceReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
|
||||
|
@ -77,8 +78,9 @@ ProcXIGrabDevice(ClientPtr client)
|
|||
if (!IsMaster(dev))
|
||||
stuff->paired_device_mode = GrabModeAsync;
|
||||
|
||||
mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
|
||||
memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
|
||||
memcpy(mask.xi2mask, (char*)&stuff[1], stuff->mask_len * 4);
|
||||
memcpy(mask.xi2mask, (char*)&stuff[1], mask_len);
|
||||
|
||||
ret = GrabDevice(client, dev, stuff->grab_mode,
|
||||
stuff->paired_device_mode,
|
||||
|
|
|
@ -86,6 +86,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|||
GrabMask mask;
|
||||
GrabParameters param;
|
||||
void *tmp;
|
||||
int mask_len;
|
||||
|
||||
REQUEST(xXIPassiveGrabDeviceReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
|
||||
|
@ -127,8 +128,9 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|||
}
|
||||
}
|
||||
|
||||
mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
|
||||
memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
|
||||
memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], stuff->mask_len * 4);
|
||||
memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], mask_len * 4);
|
||||
|
||||
rep.repType = X_Reply;
|
||||
rep.RepType = X_XIPassiveGrabDevice;
|
||||
|
|
Loading…
Reference in New Issue
Block a user