dix: avoid deferencing NULL PtrCtrl

PtrCtrl really makes sense for relative pointing device only, absolute devices such as touch devices do not have any PtrCtrl set. In some cases, if the client issues a XGetPointerControl() immediatlely after a ChangeMasterDeviceClasses() copied the touch device to the VCP, a NULL pointer dereference will occur leading to a crash of Xwayland. Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and return the default control values otherwise, to avoid the NULL pointer dereference. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533 Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
author: Olivier Fourdan <ofourdan@redhat.com> 2017-12-05 09:59:06 +0100
committer: Adam Jackson <ajax@redhat.com> 2017-12-06 11:59:28 -0500
commit: 9f7a9be13d6449c00c86d3035374f4f543654b3f (patch)
tree: f68391481c6c1b5c496baabaf437e44bef7c8a81 /dix
parent: 60f4646ae10f0b57790fce46682baa531512b53e (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/dix/devices.c b/dix/devices.c
index ea3c6c8a9..4a628afb0 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2329,10 +2329,15 @@ int
 ProcGetPointerControl(ClientPtr client)
 {
     DeviceIntPtr ptr = PickPointer(client);
-    PtrCtrl *ctrl = &ptr->ptrfeed->ctrl;
+    PtrCtrl *ctrl;
     xGetPointerControlReply rep;
     int rc;
 
+    if (ptr->ptrfeed)
+        ctrl = &ptr->ptrfeed->ctrl;
+    else
+        ctrl = &defaultPointerControl;
+
     REQUEST_SIZE_MATCH(xReq);
 
     rc = XaceHook(XACE_DEVICE_ACCESS, client, ptr, DixGetAttrAccess);
author	Olivier Fourdan <ofourdan@redhat.com>	2017-12-05 09:59:06 +0100
committer	Adam Jackson <ajax@redhat.com>	2017-12-06 11:59:28 -0500
commit	9f7a9be13d6449c00c86d3035374f4f543654b3f (patch)
tree	f68391481c6c1b5c496baabaf437e44bef7c8a81 /dix
parent	60f4646ae10f0b57790fce46682baa531512b53e (diff)