From 139368f7ae192b592e24d013e8ca5ce4175effe1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Tue, 15 Sep 2009 17:53:50 -0700
Subject: [PATCH] Fix num_masks/length overflow test for XiSelectEvents

Have to set windowid to a valid value first, since that check
appears earlier in the code than the masks/length check.

Also have to have data[] set large enough so that reading mask
data for 0xFFFF masks doesn't overflow past the end of the array
into uninitialized data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 test/xi2/protocol-xiselectevents.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/xi2/protocol-xiselectevents.c b/test/xi2/protocol-xiselectevents.c
index f314462b5..fe1c26df8 100644
--- a/test/xi2/protocol-xiselectevents.c
+++ b/test/xi2/protocol-xiselectevents.c
@@ -60,7 +60,7 @@
 #include "protocol-common.h"
 #include <glib.h>
 
-static unsigned char *data[4096 * 16]; /* the request data buffer */
+static unsigned char *data[4096 * 20]; /* the request data buffer */
 
 int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask)
 {
@@ -284,6 +284,7 @@ static void test_XISelectEvents(void)
     request_XISelectEvent(req, BadWindow);
 
     g_test_message("Triggering num_masks/length overflow");
+    req->win = ROOT_WINDOW_ID;
     /* Integer overflow - req->length can't hold that much */
     req->num_masks = 0xFFFF;
     request_XISelectEvent(req, BadLength);