PointerWindows[] keeps a reference to the last window our sprite
entered - changes are usually handled by CheckMotion().
If we switch between screens via XWarpPointer our
dev->spriteInfo->sprite->win is set to the new screen's root window.
If there's another window at the cursor location CheckMotion() will
trigger the right enter/leave events later. If there is not, it skips
that process and we never trigger LeaveWindow() - PointerWindows[] for
the device still refers to the previous window.
If that window is destroyed we have a dangling reference that will
eventually cause a use-after-free bug when checking the window hierarchy
later.
To trigger this, we require:
- two protocol screens
- XWarpPointer to the other screen's root window
- XDestroyWindow before entering any other window
This is a niche bug so we hack around it by making sure we reset the
PointerWindows[] entry so we cannot have a dangling pointer. This
doesn't handle Enter/Leave events correctly but the previous code didn't
either.
CVE-2023-5380, ZDI-CAN-21608
This vulnerability was discovered by:
Sri working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This is only called from the enterleave implementation, so move it and its
helper functions to there. No functional changes.
Fixes build error introduced in 31174565ec if
building with '-Werror=implicit-function-declaration'
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
PointerWindows[x] would be set after removing a master pointer. Destroying
this window then crashed the server.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The sourceid for enter/leave events as a result of pointer motion is the ID
of the slave device. The sourceid for those as a result of a grab activating
is the device itself.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit moves the focus handling from events.c into enterleave.c and
implements a model similar to the core enter/leave model.
For a full description of the model, see:
http://lists.freedesktop.org/archives/xorg/2008-December/041740.html
This commit also gets rid of the focusinout array in the WindowRec, ditching
it in favour of a local array that keeps the current focus window for each
device.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
As proposed by Owen Taylor [1], the enter-leave event model needs to adjust
the events sent to each window depending on the presence of pointers in a
window, or in a subwindow.
The new model can be summarised as:
- if the pointer moves into or out of a window that has a pointer in a child
window, the events are modified to appear as if the pointer was moved out of
or into this child window.
- if the pointer moves into or out of a window that has a pointer in a parent
window, the events are modified to appear as if the pointer was moved out of
or into this parent window.
Note that this model requires CoreEnterLeaveEvent and DeviceEnterLeaveEvent to
be split and treated separately.
[1] http://lists.freedesktop.org/archives/xorg/2008-August/037606.html
Signed-off-by: Peter Hutterer <peter.hutterer@redhat.com>
Device events always need to be delivered, core events only in some cases.
Let's keep them completely separate so we can adjust core event delivery.
Signed-off-by: Peter Hutterer <peter.hutterer@redhat.com>
Peter Hutterer
Adam Jackson
Michal Suchanek
Keith Packard
Peter Hutterer