[PATCH] Xi: check for invalid modifiers for XI2 passive grabs
Peter Hutterer
peter.hutterer at who-t.net
Wed Feb 19 19:35:29 PST 2014
The other values are checked correctly, but if a modifier was outside the
allowed range, it would go unnoticed and cause a out-of-bounds read error for
any mask equal or larger than 256. The DetailRec where we store the grab masks
is only sized to 8 * sizeof(Mask).
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
---
Xi/exevents.c | 3 ++-
Xi/xipassivegrab.c | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 4ed58ee..e9f670e 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -2183,7 +2183,8 @@ CheckGrabValues(ClientPtr client, GrabParameters *param)
return BadValue;
}
- if (param->grabtype != XI2 && (param->modifiers != AnyModifier) &&
+ if (param->modifiers != AnyModifier &&
+ param->modifiers != XIAnyModifier &&
(param->modifiers & ~AllModifiersMask)) {
client->errorValue = param->modifiers;
return BadValue;
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 8aba977..700622d 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -189,6 +189,10 @@ ProcXIPassiveGrabDevice(ClientPtr client)
uint8_t status = Success;
param.modifiers = *modifiers;
+ ret = CheckGrabValues(client, ¶m);
+ if (ret != Success)
+ goto out;
+
switch (stuff->grab_type) {
case XIGrabtypeButton:
status = GrabButton(client, dev, mod_dev, stuff->detail,
--
1.8.4.2
More information about the xorg-devel
mailing list