Skip to content

N
nx-libs
Commit 389e3a44 authored by Ulrich Sibiller's avatar Ulrich Sibiller Committed by Mike Gabriel
Browse files
Options

ProcGetPointerMapping uses rep.nElts before it is initialized

Backport of this xorg upstream commit (with omitting the mentioned d792ac125a0462a04a930af543cbc732f8cdab7d). commit 34cf559bcf99dad550527b5ff53f247f0e8e73ee Author: Keith Packard <keithp@keithp.com> Date: Tue Jul 10 15:58:48 2012 -0700 ProcGetPointerMapping uses rep.nElts before it is initialized In: commit d792ac125a0462a04a930af543cbc732f8cdab7d Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Mon Jul 9 19:12:43 2012 -0700 Use C99 designated initializers in dix Replies the initializer for the .length element of the xGetPointerMappingReply structure uses the value of rep.nElts, but that won't be set until after this initializer runs, so we get garbage in the length element and clients using it will generally wedge. Easy to verify: $ xmodmap -pp Fixed by creating a local nElts variable and using that. Signed-off-by: 's avatarKeith Packard <keithp@keithp.com> Reviewed-by: 's avatarAlan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: 's avatarUlrich Sibiller <uli42@gmx.de>
parent 1e3db85a
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 3 deletions
nx-X11/programs/Xserver/dix/devices.c
View file @ 389e3a44
...@@ -1156,17 +1156,20 @@ ProcGetKeyboardMapping(ClientPtr client) ...@@ -1156,17 +1156,20 @@ ProcGetKeyboardMapping(ClientPtr client)
int int
ProcGetPointerMapping(ClientPtr client) ProcGetPointerMapping(ClientPtr client)
{ {
int nElts;
xGetPointerMappingReply rep = {0}; xGetPointerMappingReply rep = {0};
ButtonClassPtr butc = inputInfo.pointer->button; ButtonClassPtr butc = inputInfo.pointer->button;
nElts = (butc) ? butc->numButtons : 0;
REQUEST_SIZE_MATCH(xReq); REQUEST_SIZE_MATCH(xReq);
rep.type = X_Reply; rep.type = X_Reply;
rep.nElts = nElts;
rep.sequenceNumber = client->sequence; rep.sequenceNumber = client->sequence;
rep.nElts = butc->numButtons; rep.length = ((unsigned)nElts + (4-1))/4;
rep.length = ((unsigned)rep.nElts + (4-1))/4;
WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep); WriteReplyToClient(client, sizeof(xGetPointerMappingReply), &rep);
WriteToClient(client, (int)rep.nElts, &butc->map[1]); if (butc)
WriteToClient(client, nElts, &butc->map[1]);
return Success; return Success;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment