From 2cbbe80efc485d2d05b06efe1e2e01f81f3e06f6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 20 Feb 2014 13:18:05 +1000
Subject: Xi: check for invalid modifiers for XI2 passive grabs

The other values are checked correctly, but if a modifier was outside the
allowed range, it would go unnoticed and cause a out-of-bounds read error for
any mask equal or larger than 256. The DetailRec where we store the grab masks
is only sized to 8 * sizeof(Mask).

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0f10cfd4b903d4db293ec47c8a9a0d8b33965803)
---
 Xi/exevents.c      | 3 ++-
 Xi/xipassivegrab.c | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Xi/exevents.c b/Xi/exevents.c
index 528e105a3..ad0265093 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param)
         return BadValue;
     }
 
-    if (param->grabtype != XI2 && (param->modifiers != AnyModifier) &&
+    if (param->modifiers != AnyModifier &&
+        param->modifiers != XIAnyModifier &&
         (param->modifiers & ~AllModifiersMask)) {
         client->errorValue = param->modifiers;
         return BadValue;
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 8aba97781..700622d38 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         uint8_t status = Success;
 
         param.modifiers = *modifiers;
+        ret = CheckGrabValues(client, &param);
+        if (ret != Success)
+            goto out;
+
         switch (stuff->grab_type) {
         case XIGrabtypeButton:
             status = GrabButton(client, dev, mod_dev, stuff->detail,
-- 
cgit v1.2.3