From 9ddbb03fa56aa73c3f417d8ee6433e45b94445b3 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 14 Apr 2010 17:43:22 +1000
Subject: [PATCH] dix: Fix crash in DeliverGrabbedEvents.

If both devices are synchronously grabbed, first with a GrabPointer, then
with a GrabKeyboard (GrabModeSync on both), sync.other of each device points
to the grab of the respective other device.

If the keyboard is then thawed through a AllowSome request, the VCK's
sync.other is reset to NULL. Subsequently, an event on the VCP would crash
the server when dereferencing sync.other on the VCP.

The check's purpose is to compare if the other device is grabbed by the same
client, which should be checked by accessing (dev->deviceGrab->grab->resource).
A check of the server-1.3 sources confirms that.

XTS test case: Xlib13 XAllowEvents 20.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
 dix/events.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dix/events.c b/dix/events.c
index 654165251..24c9e8405 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -3976,7 +3976,7 @@ DeliverGrabbedEvent(InternalEvent *event, DeviceIntPtr thisDev,
 		FreezeThaw(dev, TRUE);
 		if ((dev->deviceGrab.sync.state == FREEZE_BOTH_NEXT_EVENT) &&
 		    (CLIENT_BITS(grab->resource) ==
-		     CLIENT_BITS(dev->deviceGrab.sync.other->resource)))
+		     CLIENT_BITS(dev->deviceGrab.grab->resource)))
 		    dev->deviceGrab.sync.state = FROZEN_NO_EVENT;
 		else
                     dev->deviceGrab.sync.other = grab;