diff options
| author | Peter Hutterer <peter.hutterer@who-t.net> | 2014-01-24 18:32:54 +1000 |
|---|---|---|
| committer | Peter Hutterer <peter.hutterer@who-t.net> | 2014-02-19 10:25:00 +1000 |
| commit | f41ab8c60780ea8f87354e536e5b73cb23878eb7 (patch) | |
| tree | 4786e10d8080e2f7ea595598f8b4be145146f8b8 | |
| parent | 4447d71b9a74afe91aaf4cc01eae12a44ef09306 (diff) | |
dix: prevent a driver from initializing or submitting buttons > MAX_BUTTONS
The server internally relies on arrays with a MAX_BUTTONS maximum size (which
is the max the core protocol can transport). Make sure a driver adheres to
that.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
(cherry picked from commit 87ca80a7196949597113225405f3e4ee03bbee13)
| -rw-r--r-- | dix/devices.c | 1 | ||||
| -rw-r--r-- | dix/getevents.c | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/dix/devices.c b/dix/devices.c index a680ed8d7..8b9f5dd93 100644 --- a/dix/devices.c +++ b/dix/devices.c @@ -1279,6 +1279,7 @@ InitButtonClassDeviceStruct(DeviceIntPtr dev, int numButtons, Atom *labels, BUG_RETURN_VAL(dev == NULL, FALSE); BUG_RETURN_VAL(dev->button != NULL, FALSE); + BUG_RETURN_VAL(numButtons >= MAX_BUTTONS, FALSE); butc = calloc(1, sizeof(ButtonClassRec)); if (!butc) diff --git a/dix/getevents.c b/dix/getevents.c index 14b65cabc..23f9c33f5 100644 --- a/dix/getevents.c +++ b/dix/getevents.c @@ -1654,6 +1654,8 @@ GetPointerEvents(InternalEvent *events, DeviceIntPtr pDev, int type, } #endif + BUG_RETURN_VAL(buttons >= MAX_BUTTONS, 0); + /* refuse events from disabled devices */ if (!pDev->enabled) return 0; |