diff options
| author | Peter Hutterer <peter.hutterer@who-t.net> | 2014-04-29 16:52:01 +1000 |
|---|---|---|
| committer | Keith Packard <keithp@keithp.com> | 2014-05-08 12:59:43 -0700 |
| commit | 8e2fefe3ef247f8b5d74e32e8d37c619b06fc60c (patch) | |
| tree | 2af7f718afc64e7e641c03386584dfef7e9010da | |
| parent | d7ac9aff061f2961e6b76557dda97b57988ce362 (diff) | |
Xi: don't copy a DeviceEvent into an InternalEvent
==26141== Invalid read of size 8
==26141== at 0x58FAEA: DeliverEmulatedMotionEvent (exevents.c:1484)
An InternalEvent is bigger than a DeviceEvent, thus copying one to the other
reads past the allocated boundary. Shouldn't have any real effect since we
shouldn't access anything past the DeviceEvent boundary if the event type is
correct.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
| -rw-r--r-- | Xi/exevents.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c index 9c207eb23..02530bdee 100644 --- a/Xi/exevents.c +++ b/Xi/exevents.c @@ -1469,7 +1469,7 @@ static void DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti, InternalEvent *ev) { - InternalEvent motion; + DeviceEvent motion; if (ti->num_listeners) { ClientPtr client; @@ -1481,11 +1481,11 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti, ti->listeners[0].type != LISTENER_POINTER_GRAB) return; - motion = *ev; - motion.any.type = ET_TouchUpdate; - motion.device_event.detail.button = 0; + motion = ev->device_event; + motion.type = ET_TouchUpdate; + motion.detail.button = 0; - if (!RetrieveTouchDeliveryData(dev, ti, &motion, + if (!RetrieveTouchDeliveryData(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], &client, &win, &grab, &mask)) return; @@ -1500,18 +1500,18 @@ DeliverEmulatedMotionEvent(DeviceIntPtr dev, TouchPointInfoPtr ti, } } - DeliverTouchEmulatedEvent(dev, ti, &motion, &ti->listeners[0], client, + DeliverTouchEmulatedEvent(dev, ti, (InternalEvent*)&motion, &ti->listeners[0], client, win, grab, mask); } else { InternalEvent button; int converted; - converted = TouchConvertToPointerEvent(ev, &motion, &button); + converted = TouchConvertToPointerEvent(ev, (InternalEvent*)&motion, &button); BUG_WARN(converted == 0); if (converted) - ProcessOtherEvent(&motion, dev); + ProcessOtherEvent((InternalEvent*)&motion, dev); } } |