dix: Fix crash in DeliverGrabbedEvents.

If both devices are synchronously grabbed, first with a GrabPointer, then with a GrabKeyboard (GrabModeSync on both), sync.other of each device points to the grab of the respective other device. If the keyboard is then thawed through a AllowSome request, the VCK's sync.other is reset to NULL. Subsequently, an event on the VCP would crash the server when dereferencing sync.other on the VCP. The check's purpose is to compare if the other device is grabbed by the same client, which should be checked by accessing (dev->deviceGrab->grab->resource). A check of the server-1.3 sources confirms that. XTS test case: Xlib13 XAllowEvents 20. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com>
2010-04-14 17:43:22 +10:00 · 2010-04-14 17:43:22 +10:00 · 9ddbb03fa5
commit 9ddbb03fa5
parent 7b65175266
1 changed files with 1 additions and 1 deletions
--- a/dix/events.c
+++ b/dix/events.c
@ -3976,7 +3976,7 @@ DeliverGrabbedEvent(InternalEvent *event, DeviceIntPtr thisDev,
 		FreezeThaw(dev, TRUE);
 		if ((dev->deviceGrab.sync.state == FREEZE_BOTH_NEXT_EVENT) &&
 		    (CLIENT_BITS(grab->resource) ==
-		     CLIENT_BITS(dev->deviceGrab.sync.other->resource)))
+		     CLIENT_BITS(dev->deviceGrab.grab->resource)))
 		    dev->deviceGrab.sync.state = FROZEN_NO_EVENT;
 		else
                    dev->deviceGrab.sync.other = grab;