From 88c767edb01ed7efb19ffe3a453e16107b27130b Mon Sep 17 00:00:00 2001
From: Michal Suchanek <hramrach@gmail.com>
Date: Wed, 23 May 2012 11:22:05 +0200
Subject: [PATCH 1/2] Fix crash for motion events from devices without
 valuators

A WarpPointer request may trigger a motion event on a device without
valuators. That request is ignored by GetPointerEvents but during smooth
scroll emulation we dereference dev->valuators to get the number of axes.

Break out early if the device doesn't have valuators.

Signed-off-by: Michal Suchanek <hramrach@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/getevents.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dix/getevents.c b/dix/getevents.c
index ae4112ffc..4fbaa6c94 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1615,7 +1615,7 @@ GetPointerEvents(InternalEvent *events, DeviceIntPtr pDev, int type,
     /* Now turn the smooth-scrolling axes back into emulated button presses
      * for legacy clients, based on the integer delta between before and now */
     for (i = 0; i < valuator_mask_size(&mask); i++) {
-        if (i >= pDev->valuator->numAxes)
+        if ( !pDev->valuator || (i >= pDev->valuator->numAxes))
             break;
 
         if (!valuator_mask_isset(&mask, i))

From 42ae2e8199fe875319978249963de7499607988b Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
Date: Tue, 29 May 2012 10:17:50 +0530
Subject: [PATCH 2/2] xkb: Allocate size_syms correctly when width of a type
 increases

The current code seems to skip syms with width less than
type->num_levels when calculating the total size for the new
size_syms. This leads to less space being allocated than necessary
during the next phase, which is to copy over the syms to the new
location. This results in an overflow leading to a crash.

Signed-off-by: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 xkb/XKBMAlloc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xkb/XKBMAlloc.c b/xkb/XKBMAlloc.c
index 645e90544..3ffd5dad1 100644
--- a/xkb/XKBMAlloc.c
+++ b/xkb/XKBMAlloc.c
@@ -375,8 +375,10 @@ XkbResizeKeyType(XkbDescPtr xkb,
         nResize = 0;
         for (nTotal = 1, i = xkb->min_key_code; i <= xkb->max_key_code; i++) {
             width = XkbKeyGroupsWidth(xkb, i);
-            if (width < type->num_levels)
+            if (width < type->num_levels || width >= new_num_lvls) {
+                nTotal += XkbKeyNumSyms(xkb,i);
                 continue;
+            }
             for (match = 0, g = XkbKeyNumGroups(xkb, i) - 1;
                  (g >= 0) && (!match); g--) {
                 if (XkbKeyKeyTypeIndex(xkb, i, g) == type_ndx) {
@@ -384,7 +386,7 @@ XkbResizeKeyType(XkbDescPtr xkb,
                     match = 1;
                 }
             }
-            if ((!match) || (width >= new_num_lvls))
+            if (!match)
                 nTotal += XkbKeyNumSyms(xkb, i);
             else {
                 nTotal += XkbKeyNumGroups(xkb, i) * new_num_lvls;