frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Convert more funcs to use InternalEvent. 

This fixes a crash when a DeviceEvent struct converted to
InteralEvent was beeing copied as InternalEvent (and thus
causing out of bounds reads) in ActivateGrabNoDelivery()
in events.c: 3876    *grabinfo->sync.event = *real_event;

Possible fix for https://gitlab.freedesktop.org/xorg/xserver/-/issues/1253

Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 5b8817a019)
This commit is contained in:
Matthieu Herrb 2021-11-16 23:38:46 +01:00 committed by Povilas Kanapickas
parent b27eaa7283
commit 8223a9d6d9
3 changed files with 30 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Xi/exevents.c
View File

@ -1901,7 +1901,7 @@ ProcessDeviceEvent(InternalEvent *ev, DeviceIntPtr device)
* nested) to clients. */ * nested) to clients. */
if (event->source_type == EVENT_SOURCE_FOCUS) if (event->source_type == EVENT_SOURCE_FOCUS)
return; return;
if (!grab && CheckDeviceGrabs(device, event, 0)) if (!grab && CheckDeviceGrabs(device, ev, 0))
return; return;
break; break;
case ET_KeyRelease: case ET_KeyRelease:
@ -1914,7 +1914,7 @@ ProcessDeviceEvent(InternalEvent *ev, DeviceIntPtr device)
if (b->map[key] == 0) /* there's no button 0 */ if (b->map[key] == 0) /* there's no button 0 */
return; return;
event->detail.button = b->map[key]; event->detail.button = b->map[key];
if (!grab && CheckDeviceGrabs(device, event, 0)) { if (!grab && CheckDeviceGrabs(device, ev, 0)) {
/* if a passive grab was activated, the event has been sent /* if a passive grab was activated, the event has been sent
* already */ * already */
return; return;

53
dix/events.c
View File

@ -1191,7 +1191,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device)
} }
} }
eventlen = event->length; eventlen = sizeof(InternalEvent);
qe = malloc(sizeof(QdEventRec) + eventlen); qe = malloc(sizeof(QdEventRec) + eventlen);
if (!qe) if (!qe)
@ -1319,7 +1319,7 @@ ComputeFreezes(void)
syncEvents.replayDev = (DeviceIntPtr) NULL; syncEvents.replayDev = (DeviceIntPtr) NULL;
if (!CheckDeviceGrabs(replayDev, &event->device_event, if (!CheckDeviceGrabs(replayDev, event,
syncEvents.replayWin)) { syncEvents.replayWin)) {
if (IsTouchEvent(event)) { if (IsTouchEvent(event)) {
TouchPointInfoPtr ti = TouchPointInfoPtr ti =
@ -3027,7 +3027,7 @@ BOOL
ActivateFocusInGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win) ActivateFocusInGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win)
{ {
BOOL rc = FALSE; BOOL rc = FALSE;
DeviceEvent event; InternalEvent event;
if (dev->deviceGrab.grab) { if (dev->deviceGrab.grab) {
if (!dev->deviceGrab.fromPassiveGrab || if (!dev->deviceGrab.fromPassiveGrab ||
@ -3042,16 +3042,16 @@ ActivateFocusInGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win)
if (win == NoneWin || win == PointerRootWin) if (win == NoneWin || win == PointerRootWin)
return FALSE; return FALSE;
event = (DeviceEvent) { event = (InternalEvent) {
.header = ET_Internal, .device_event.header = ET_Internal,
.type = ET_FocusIn, .device_event.type = ET_FocusIn,
.length = sizeof(DeviceEvent), .device_event.length = sizeof(DeviceEvent),
.time = GetTimeInMillis(), .device_event.time = GetTimeInMillis(),
.deviceid = dev->id, .device_event.deviceid = dev->id,
.sourceid = dev->id, .device_event.sourceid = dev->id,
.detail.button = 0 .device_event.detail.button = 0
}; };
rc = (CheckPassiveGrabsOnWindow(win, dev, (InternalEvent *) &event, FALSE, rc = (CheckPassiveGrabsOnWindow(win, dev, &event, FALSE,
TRUE) != NULL); TRUE) != NULL);
if (rc) if (rc)
DoEnterLeaveEvents(dev, dev->id, old, win, XINotifyPassiveGrab); DoEnterLeaveEvents(dev, dev->id, old, win, XINotifyPassiveGrab);
@ -3068,7 +3068,7 @@ static BOOL
ActivateEnterGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win) ActivateEnterGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win)
{ {
BOOL rc = FALSE; BOOL rc = FALSE;
DeviceEvent event; InternalEvent event;
if (dev->deviceGrab.grab) { if (dev->deviceGrab.grab) {
if (!dev->deviceGrab.fromPassiveGrab || if (!dev->deviceGrab.fromPassiveGrab ||
@ -3080,16 +3080,16 @@ ActivateEnterGrab(DeviceIntPtr dev, WindowPtr old, WindowPtr win)
(*dev->deviceGrab.DeactivateGrab) (dev); (*dev->deviceGrab.DeactivateGrab) (dev);
} }
event = (DeviceEvent) { event = (InternalEvent) {
.header = ET_Internal, .device_event.header = ET_Internal,
.type = ET_Enter, .device_event.type = ET_Enter,
.length = sizeof(DeviceEvent), .device_event.length = sizeof(DeviceEvent),
.time = GetTimeInMillis(), .device_event.time = GetTimeInMillis(),
.deviceid = dev->id, .device_event.deviceid = dev->id,
.sourceid = dev->id, .device_event.sourceid = dev->id,
.detail.button = 0 .device_event.detail.button = 0
}; };
rc = (CheckPassiveGrabsOnWindow(win, dev, (InternalEvent *) &event, FALSE, rc = (CheckPassiveGrabsOnWindow(win, dev, &event, FALSE,
TRUE) != NULL); TRUE) != NULL);
if (rc) if (rc)
DoEnterLeaveEvents(dev, dev->id, old, win, XINotifyPassiveGrab); DoEnterLeaveEvents(dev, dev->id, old, win, XINotifyPassiveGrab);
@ -4141,14 +4141,15 @@ CheckPassiveGrabsOnWindow(WindowPtr pWin,
*/ */
Bool Bool
CheckDeviceGrabs(DeviceIntPtr device, DeviceEvent *event, WindowPtr ancestor) CheckDeviceGrabs(DeviceIntPtr device, InternalEvent *ievent, WindowPtr ancestor)
{ {
int i; int i;
WindowPtr pWin = NULL; WindowPtr pWin = NULL;
FocusClassPtr focus = FocusClassPtr focus =
IsPointerEvent((InternalEvent *) event) ? NULL : device->focus; IsPointerEvent(ievent) ? NULL : device->focus;
BOOL sendCore = (IsMaster(device) && device->coreEvents); BOOL sendCore = (IsMaster(device) && device->coreEvents);
Bool ret = FALSE; Bool ret = FALSE;
DeviceEvent *event = &ievent->device_event;
if (event->type != ET_ButtonPress && event->type != ET_KeyPress) if (event->type != ET_ButtonPress && event->type != ET_KeyPress)
return FALSE; return FALSE;
@ -4171,7 +4172,7 @@ CheckDeviceGrabs(DeviceIntPtr device, DeviceEvent *event, WindowPtr ancestor)
if (focus) { if (focus) {
for (; i < focus->traceGood; i++) { for (; i < focus->traceGood; i++) {
pWin = focus->trace[i]; pWin = focus->trace[i];
if (CheckPassiveGrabsOnWindow(pWin, device, (InternalEvent *) event, if (CheckPassiveGrabsOnWindow(pWin, device, ievent,
sendCore, TRUE)) { sendCore, TRUE)) {
ret = TRUE; ret = TRUE;
goto out; goto out;
@ -4186,7 +4187,7 @@ CheckDeviceGrabs(DeviceIntPtr device, DeviceEvent *event, WindowPtr ancestor)
for (; i < device->spriteInfo->sprite->spriteTraceGood; i++) { for (; i < device->spriteInfo->sprite->spriteTraceGood; i++) {
pWin = device->spriteInfo->sprite->spriteTrace[i]; pWin = device->spriteInfo->sprite->spriteTrace[i];
if (CheckPassiveGrabsOnWindow(pWin, device, (InternalEvent *) event, if (CheckPassiveGrabsOnWindow(pWin, device, ievent,
sendCore, TRUE)) { sendCore, TRUE)) {
ret = TRUE; ret = TRUE;
goto out; goto out;

2
include/dix.h
View File

@ -458,7 +458,7 @@ WindowHasNewCursor(WindowPtr /* pWin */ );
extern Bool extern Bool
CheckDeviceGrabs(DeviceIntPtr /* device */ , CheckDeviceGrabs(DeviceIntPtr /* device */ ,
DeviceEvent * /* event */ , InternalEvent * /* event */ ,
WindowPtr /* ancestor */ ); WindowPtr /* ancestor */ );
extern void extern void