From f41ab8c60780ea8f87354e536e5b73cb23878eb7 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 24 Jan 2014 18:32:54 +1000
Subject: dix: prevent a driver from initializing or submitting buttons >
 MAX_BUTTONS

The server internally relies on arrays with a MAX_BUTTONS maximum size (which
is the max the core protocol can transport). Make sure a driver adheres to
that.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
(cherry picked from commit 87ca80a7196949597113225405f3e4ee03bbee13)
---
 dix/devices.c   | 1 +
 dix/getevents.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/dix/devices.c b/dix/devices.c
index a680ed8d7..8b9f5dd93 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1279,6 +1279,7 @@ InitButtonClassDeviceStruct(DeviceIntPtr dev, int numButtons, Atom *labels,
 
     BUG_RETURN_VAL(dev == NULL, FALSE);
     BUG_RETURN_VAL(dev->button != NULL, FALSE);
+    BUG_RETURN_VAL(numButtons >= MAX_BUTTONS, FALSE);
 
     butc = calloc(1, sizeof(ButtonClassRec));
     if (!butc)
diff --git a/dix/getevents.c b/dix/getevents.c
index 14b65cabc..23f9c33f5 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1654,6 +1654,8 @@ GetPointerEvents(InternalEvent *events, DeviceIntPtr pDev, int type,
     }
 #endif
 
+    BUG_RETURN_VAL(buttons >= MAX_BUTTONS, 0);
+
     /* refuse events from disabled devices */
     if (!pDev->enabled)
         return 0;
-- 
cgit v1.2.3