From 87ca80a7196949597113225405f3e4ee03bbee13 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 24 Jan 2014 18:32:54 +1000
Subject: [PATCH] dix: prevent a driver from initializing or submitting buttons
 > MAX_BUTTONS

The server internally relies on arrays with a MAX_BUTTONS maximum size (which
is the max the core protocol can transport). Make sure a driver adheres to
that.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
---
 dix/devices.c   | 1 +
 dix/getevents.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/dix/devices.c b/dix/devices.c
index a875f03cc..1c86d5242 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1279,6 +1279,7 @@ InitButtonClassDeviceStruct(DeviceIntPtr dev, int numButtons, Atom *labels,
 
     BUG_RETURN_VAL(dev == NULL, FALSE);
     BUG_RETURN_VAL(dev->button != NULL, FALSE);
+    BUG_RETURN_VAL(numButtons >= MAX_BUTTONS, FALSE);
 
     butc = calloc(1, sizeof(ButtonClassRec));
     if (!butc)
diff --git a/dix/getevents.c b/dix/getevents.c
index 646c723ea..ffa89fad2 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1655,6 +1655,8 @@ GetPointerEvents(InternalEvent *events, DeviceIntPtr pDev, int type,
     }
 #endif
 
+    BUG_RETURN_VAL(buttons >= MAX_BUTTONS, 0);
+
     /* refuse events from disabled devices */
     if (!pDev->enabled)
         return 0;