[PATCH] Fix num_masks/length overflow test for XiSelectEvents

Alan Coopersmith alan.coopersmith at sun.com
Tue Sep 15 17:53:50 PDT 2009

Have to set windowid to a valid value first, since that check
appears earlier in the code than the masks/length check.

Also have to have data[] set large enough so that reading mask
data for 0xFFFF masks doesn't overflow past the end of the array
into uninitialized data.

Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>

Improved version of earlier patch that also addresses the root cause of
why Peter & I saw different results for this test - since we had different
uninitialized data for the masks read past the end of the data[] array.

Also changed to leave the setting of req->win for the next test case,
copying it instead of moving it up, to avoid failure due to the swapl()
of the req->win value during testing.

 test/xi2/protocol-xiselectevents.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/test/xi2/protocol-xiselectevents.c b/test/xi2/protocol-xiselectevents.c
index f314462..fe1c26d 100644
--- a/test/xi2/protocol-xiselectevents.c
+++ b/test/xi2/protocol-xiselectevents.c
@@ -60,7 +60,7 @@
 #include "protocol-common.h"
 #include <glib.h>
-static unsigned char *data[4096 * 16]; /* the request data buffer */
+static unsigned char *data[4096 * 20]; /* the request data buffer */
 int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask)
@@ -284,6 +284,7 @@ static void test_XISelectEvents(void)
     request_XISelectEvent(req, BadWindow);
     g_test_message("Triggering num_masks/length overflow");
+    req->win = ROOT_WINDOW_ID;
     /* Integer overflow - req->length can't hold that much */
     req->num_masks = 0xFFFF;
     request_XISelectEvent(req, BadLength);

More information about the xorg-devel mailing list