Calling XTestFakeDevice*Event on a device that doesn't allow the matching
event returns BadValue.
Reported-by: Florian Echtler
Signed-off-by: Peter Hutterer peter.hutte...@who-t.net
---
On Sat, Jun 27, 2009 at 03:05:48PM +0200, Florian Echtler wrote:
just a very short bug report: yesterday, I made my Xserver segfault by
using XTestFakeDeviceMotionEvent. I passed an XDevice struct looking as
follows: XDevice dev = { 11, 0, 0 }. However, at that moment I didn't
have a master pointer with ID 11 - crash. Unfortunately, I don't have a
suitable backtrace, and I can't recompile my server at the moment, but
maybe this information helps you nevertheless.
caused by missing capabilities checks before posting the event.
Reproducible by calling any device event on a device that doesn't have the
matching classes (e.g. key events on master pointers or button/motion events
Cheers,
Peter
Xext/xtest.c | 24
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/Xext/xtest.c b/Xext/xtest.c
index 4f5c527..f6ae3e3 100644
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
@@ -189,11 +189,35 @@ ProcXTestFakeInput(ClientPtr client)
switch (type) {
case XI_DeviceKeyPress:
case XI_DeviceKeyRelease:
+if (!dev-key)
+{
+client-errorValue = ev-u.u.type;
+return BadValue;
+}
+break;
case XI_DeviceButtonPress:
case XI_DeviceButtonRelease:
+if (!dev-button)
+{
+client-errorValue = ev-u.u.type;
+return BadValue;
+}
+break;
case XI_DeviceMotionNotify:
+if (!dev-valuator)
+{
+client-errorValue = ev-u.u.type;
+return BadValue;
+}
+break;
case XI_ProximityIn:
case XI_ProximityOut:
+if (!dev-proximity)
+{
+client-errorValue = ev-u.u.type;
+return BadValue;
+}
+break;
break;
default:
client-errorValue = ev-u.u.type;
--
1.6.3.rc1.2.g0164.dirty
___
xorg mailing list
xorg@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/xorg
