The other values are checked correctly, but if a modifier was outside the allowed range, it would go unnoticed and cause a out-of-bounds read error for any mask equal or larger than 256. The DetailRec where we store the grab masks is only sized to 8 * sizeof(Mask).
Signed-off-by: Peter Hutterer <[email protected]> --- Xi/exevents.c | 3 ++- Xi/xipassivegrab.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Xi/exevents.c b/Xi/exevents.c index 4ed58ee..e9f670e 100644 --- a/Xi/exevents.c +++ b/Xi/exevents.c @@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param) return BadValue; } - if (param->grabtype != XI2 && (param->modifiers != AnyModifier) && + if (param->modifiers != AnyModifier && + param->modifiers != XIAnyModifier && (param->modifiers & ~AllModifiersMask)) { client->errorValue = param->modifiers; return BadValue; diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c index 8aba977..700622d 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c @@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client) uint8_t status = Success; param.modifiers = *modifiers; + ret = CheckGrabValues(client, ¶m); + if (ret != Success) + goto out; + switch (stuff->grab_type) { case XIGrabtypeButton: status = GrabButton(client, dev, mod_dev, stuff->detail, -- 1.8.4.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
