[PATCH 1.9.2.902 1/1] dix: GetPointerEvents: added valuator range checking

Mon Jan 24 12:03:30 PST 2011

Button events may be sent with no valuators (e.g. to simply indicate
ButtonPress or ButtonRelease without any coordinates); when this happens
the server would read uninitialized memory.

==9999== Conditional jump or move depends on uninitialised value(s)
==9999==    at 0x48E87E8: pixman_f_transform_point (in /usr/lib/libpixman-1.so.0.18.2)
==9999==  Uninitialised value was created by a stack allocation
==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)
==9999==
==9999== Conditional jump or move depends on uninitialised value(s)
==9999==    at 0x496D074: lround (s_lround.c:40)
==9999==    by 0x3773B: GetPointerEvents (getevents.c:1048)
==9999==    by 0x683BB: xf86PostButtonEventP (xf86Xinput.c:1162)
==9999==    by 0x6853B: xf86PostButtonEvent (xf86Xinput.c:1126)
==9999==    by 0x5779037: process_state (multitouch.c:321)      (xf86-input-mtev)
==9999==    by 0x577908F: read_input (multitouch.c:331))        (xf86-input-mtev)
==9999==    by 0x66B4F: xf86SigioReadInput (xf86Events.c:298)
==9999==    by 0x112697: xf86SIGIO (sigio.c:118)
==9999==    by 0x4A12B2F: ??? (sigrestorer.S:51)
==9999==  Uninitialised value was created by a stack allocation
==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)

Signed-off-by: Oliver McFadden <oliver.mcfadden at nokia.com>
---
I'm not sure anyone actually cares about this patch anymore, since this code has
changed completely due to the valuator rework. If someone wants to apply it to
the 1.9.2(.xxx) branches, then please be my guest.

 dix/getevents.c |   18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/dix/getevents.c b/dix/getevents.c
index e5134d3..f1e5514 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1034,19 +1034,21 @@ FreeEventList(EventListPtr list, int num_events)
 }
 
 static void
-transformAbsolute(DeviceIntPtr dev, int v[MAX_VALUATORS])
+transformAbsolute(DeviceIntPtr dev, int first, int num, int *valuators)
 {
-    struct pixman_f_vector p;
+    struct pixman_f_vector p = { .v = {0.0, 0.0, 1.0} };
 
     /* p' = M * p in homogeneous coordinates */
-    p.v[0] = v[0];
-    p.v[1] = v[1];
-    p.v[2] = 1.0;
+    if (num >= 1 && first == 0)
+        p.v[0] = *(valuators + 0);
+
+    if (first <= 1 && num >= (2 - first))
+        p.v[1] = *(valuators + 1 - first);
 
     pixman_f_transform_point(&dev->transform, &p);
 
-    v[0] = lround(p.v[0]);
-    v[1] = lround(p.v[1]);
+    valuators[0] = lround(p.v[0]);
+    valuators[1] = lround(p.v[1]);
 }
 
 /**
@@ -1124,7 +1126,7 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
                         scr->height);
         }
 
-        transformAbsolute(pDev, valuators);
+        transformAbsolute(pDev, first_valuator, num_valuators, valuators);
         moveAbsolute(pDev, &x, &y, first_valuator, num_valuators, valuators);
     } else {
         if (flags & POINTER_ACCELERATE) {
-- 
1.7.1.245.g7c42e

