On 02/19/14 07:35 PM, Peter Hutterer wrote:
The other values are checked correctly, but if a modifier was outside the
allowed range, it would go unnoticed and cause a out-of-bounds read error for
any mask equal or larger than 256. The DetailRec where we store the grab masks
is only sized to 8 * sizeof(Mask).
Signed-off-by: Peter Hutterer <[email protected]>
---
Xi/exevents.c | 3 ++-
Xi/xipassivegrab.c | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 4ed58ee..e9f670e 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param)
return BadValue;
}
- if (param->grabtype != XI2 && (param->modifiers != AnyModifier) &&
+ if (param->modifiers != AnyModifier &&
+ param->modifiers != XIAnyModifier &&
(param->modifiers & ~AllModifiersMask)) {
client->errorValue = param->modifiers;
return BadValue;
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 8aba977..700622d 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client)
uint8_t status = Success;
param.modifiers = *modifiers;
+ ret = CheckGrabValues(client, ¶m);
+ if (ret != Success)
+ goto out;
+
switch (stuff->grab_type) {
case XIGrabtypeButton:
status = GrabButton(client, dev, mod_dev, stuff->detail,
Reviewed-by: Alan Coopersmith <[email protected]>
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
