Calling XTestFakeDevice*Event on a device that doesn't allow the matching event returns BadValue.
Reported-by: Florian Echtler Signed-off-by: Peter Hutterer <[email protected]> --- On Sat, Jun 27, 2009 at 03:05:48PM +0200, Florian Echtler wrote: > just a very short bug report: yesterday, I made my Xserver segfault by > using XTestFakeDeviceMotionEvent. I passed an XDevice struct looking as > follows: XDevice dev = { 11, 0, 0 }. However, at that moment I didn't > have a master pointer with ID 11 -> crash. Unfortunately, I don't have a > suitable backtrace, and I can't recompile my server at the moment, but > maybe this information helps you nevertheless. caused by missing capabilities checks before posting the event. Reproducible by calling any device event on a device that doesn't have the matching classes (e.g. key events on master pointers or button/motion events Cheers, Peter Xext/xtest.c | 24 ++++++++++++++++++++++++ 1 files changed, 24 insertions(+), 0 deletions(-) diff --git a/Xext/xtest.c b/Xext/xtest.c index 4f5c527..f6ae3e3 100644 --- a/Xext/xtest.c +++ b/Xext/xtest.c @@ -189,11 +189,35 @@ ProcXTestFakeInput(ClientPtr client) switch (type) { case XI_DeviceKeyPress: case XI_DeviceKeyRelease: + if (!dev->key) + { + client->errorValue = ev->u.u.type; + return BadValue; + } + break; case XI_DeviceButtonPress: case XI_DeviceButtonRelease: + if (!dev->button) + { + client->errorValue = ev->u.u.type; + return BadValue; + } + break; case XI_DeviceMotionNotify: + if (!dev->valuator) + { + client->errorValue = ev->u.u.type; + return BadValue; + } + break; case XI_ProximityIn: case XI_ProximityOut: + if (!dev->proximity) + { + client->errorValue = ev->u.u.type; + return BadValue; + } + break; break; default: client->errorValue = ev->u.u.type; -- 1.6.3.rc1.2.g0164.dirty _______________________________________________ xorg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xorg
