xserver: Branch 'xwayland-22.1' - 2 commits

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Jan 25 09:00:35 UTC 2023 

 Xi/exevents.c   |    2 +-
 dix/events.c    |   20 +++++++++++++++++---
 include/input.h |    1 +
 3 files changed, 19 insertions(+), 4 deletions(-)

New commits:
commit 8e3926281fb4e42655a4e32dac814a3de193cef7
Author: Mike Gorse <mgorse at suse.com>
Date:   Wed Jan 25 02:02:48 2023 +0000

    dix: Use CopyPartialInternalEvent in EnqueueEvent
    
    The event might be a DeviceEvent allocated on the stack, in
    AccessXKeyboardEvent for instance. Fixes out-of-bounds read.
    
    Signed-off-by: Mike Gorse <mgorse at suse.com>
    (cherry picked from commit 2ef5ef57bd37a8bec2ac454053b283c6f87c3b40)

diff --git a/dix/events.c b/dix/events.c
index 28d7d177c..9a4bff314 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1215,7 +1215,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device)
     qe->pScreen = pSprite->hotPhys.pScreen;
     qe->months = currentTime.months;
     qe->event = (InternalEvent *) (qe + 1);
-    memcpy(qe->event, event, eventlen);
+    CopyPartialInternalEvent(qe->event, (InternalEvent *)event);
     xorg_list_append(&qe->next, &syncEvents.pending);
 }
 
commit 905bc7f70b6a514e32a8e51181f84cd797f65391
Author: Povilas Kanapickas <povilas at radix.lt>
Date:   Sun Jan 23 22:18:52 2022 +0200

    dix: Correctly save replayed event into GrabInfoRec
    
    When processing events we operate on InternalEvent pointers. They may
    actually refer to a an instance of DeviceEvent, GestureEvent or any
    other event that comprises the InternalEvent union. This works well in
    practice because we always look into event type before doing anything,
    except in the case of copying the event.
    
    *dst_event = *src_event would copy whole InternalEvent event and would
    cause out of bounds read in case the pointed to event was not
    InternalEvent but e.g. DeviceEvent.
    
    This regression has been introduced in
    23a8b62d34344575f9df9d057fb74bfefa94a77b.
    
    Fixes https://gitlab.freedesktop.org/xorg/xserver/-/issues/1261
    
    Signed-off-by: Povilas Kanapickas <povilas at radix.lt>
    (cherry picked from commit 6ef5c05728f8b18170fbc8415d7502495a08670b)

diff --git a/Xi/exevents.c b/Xi/exevents.c
index 94b9983bd..217baa956 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -1524,7 +1524,7 @@ DeliverTouchEmulatedEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
             g = AllocGrab(devgrab);
             BUG_WARN(!g);
 
-            *dev->deviceGrab.sync.event = *ev;
+            CopyPartialInternalEvent(dev->deviceGrab.sync.event, ev);
 
             /* The listener array has a sequence of grabs and then one event
              * selection. Implicit grab activation occurs through delivering an
diff --git a/dix/events.c b/dix/events.c
index 341c746d4..28d7d177c 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -467,6 +467,20 @@ WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev)
     return xi2mask_isset(inputMasks->xi2mask, dev, evtype);
 }
 
+/**
+ * When processing events we operate on InternalEvent pointers. They may actually refer to a
+ * an instance of DeviceEvent, GestureEvent or any other event that comprises the InternalEvent
+ * union. This works well in practice because we always look into event type before doing anything,
+ * except in the case of copying the event. Any copying of InternalEvent should use this function
+ * instead of doing *dst_event = *src_event whenever it's not clear whether source event actually
+ * points to full InternalEvent instance.
+ */
+void
+CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event)
+{
+    memcpy(dst_event, src_event, src_event->any.length);
+}
+
 Mask
 GetEventMask(DeviceIntPtr dev, xEvent *event, InputClients * other)
 {
@@ -3873,7 +3887,7 @@ void ActivateGrabNoDelivery(DeviceIntPtr dev, GrabPtr grab,
 
     if (grabinfo->sync.state == FROZEN_NO_EVENT)
         grabinfo->sync.state = FROZEN_WITH_EVENT;
-    *grabinfo->sync.event = *real_event;
+    CopyPartialInternalEvent(grabinfo->sync.event, real_event);
 }
 
 static BOOL
@@ -4455,7 +4469,7 @@ FreezeThisEventIfNeededForSyncGrab(DeviceIntPtr thisDev, InternalEvent *event)
     case FREEZE_NEXT_EVENT:
         grabinfo->sync.state = FROZEN_WITH_EVENT;
         FreezeThaw(thisDev, TRUE);
-        *grabinfo->sync.event = *event;
+        CopyPartialInternalEvent(grabinfo->sync.event, event);
         break;
     }
 }
diff --git a/include/input.h b/include/input.h
index b1aef3663..cdb5d5a90 100644
--- a/include/input.h
+++ b/include/input.h
@@ -676,6 +676,7 @@ extern void GestureEmitGestureEndToOwner(DeviceIntPtr dev, GestureInfoPtr gi);
 extern void ProcessGestureEvent(InternalEvent *ev, DeviceIntPtr dev);
 
 /* misc event helpers */
+extern void CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event);
 extern Mask GetEventMask(DeviceIntPtr dev, xEvent *ev, InputClientsPtr clients);
 extern Mask GetEventFilter(DeviceIntPtr dev, xEvent *event);
 extern Bool WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev);

More information about the xorg-commit mailing list