From b059e06e19ac9417ceeb8be58c1c91b159291865 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 29 Aug 2011 12:36:26 +1000
Subject: [PATCH] dix: don't allow keyboard devices to submit motion or button
 events.

GPE unconditionally dereferences pDev->valuator if a mask is present. This
shouldn't really happen but if it does, don't crash, just ignore the events
with an error.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
---
 dix/getevents.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/dix/getevents.c b/dix/getevents.c
index 992669313..98d8cf0f1 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1099,6 +1099,11 @@ fill_pointer_events(InternalEvent *events, DeviceIntPtr pDev, int type,
     switch (type)
     {
         case MotionNotify:
+            if (!pDev->valuator)
+            {
+                ErrorF("[dix] motion events from device %d without valuators\n", pDev->id);
+                return 0;
+            }
             if (!mask_in || valuator_mask_num_valuators(mask_in) <= 0)
                 return 0;
             break;
@@ -1106,6 +1111,11 @@ fill_pointer_events(InternalEvent *events, DeviceIntPtr pDev, int type,
         case ButtonRelease:
             if (!pDev->button || !buttons)
                 return 0;
+            if (mask_in && valuator_mask_size(mask_in) > 0 && !pDev->valuator)
+            {
+                ErrorF("[dix] button event with valuator from device %d without valuators\n", pDev->id);
+                return 0;
+            }
             break;
         default:
             return 0;