From f8ec5f9c7bebd698f5c0a7b8c2f871b947a83686 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Wed, 8 Apr 2015 09:20:22 +1000 Subject: [PATCH] Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574) --- ...-evdev-fix-crash-for-missing-ABS_X-Y.patch | 35 +++++++ ...ng-of-fake-MT-devices-without-ABS_X-.patch | 94 +++++++++++++++++++ libinput.spec | 8 +- 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 0001-evdev-fix-crash-for-missing-ABS_X-Y.patch create mode 100644 0002-evdev-fix-handling-of-fake-MT-devices-without-ABS_X-.patch diff --git a/0001-evdev-fix-crash-for-missing-ABS_X-Y.patch b/0001-evdev-fix-crash-for-missing-ABS_X-Y.patch new file mode 100644 index 0000000..2865ded --- /dev/null +++ b/0001-evdev-fix-crash-for-missing-ABS_X-Y.patch @@ -0,0 +1,35 @@ +From 06fbf985f8d63572a0674f1904680d275fe2b2f3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 8 Apr 2015 07:43:54 +1000 +Subject: [PATCH libinput] evdev: fix crash for missing ABS_X/Y + +libevdev_set_abs_info() is a noop if the event code isn't enabled on the +device. This leaves ABS_X/Y on NULL, causing a crash later when dereferencing +the absinfo. + +https://bugs.freedesktop.org/show_bug.cgi?id=89783 + +Signed-off-by: Peter Hutterer +--- + src/evdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/evdev.c b/src/evdev.c +index a972b9d..115dc99 100644 +--- a/src/evdev.c ++++ b/src/evdev.c +@@ -1444,9 +1444,9 @@ evdev_fix_android_mt(struct evdev_device *device) + !libevdev_has_event_code(evdev, EV_ABS, ABS_MT_POSITION_Y)) + return; + +- libevdev_set_abs_info(evdev, ABS_X, ++ libevdev_enable_event_code(evdev, EV_ABS, ABS_X, + libevdev_get_abs_info(evdev, ABS_MT_POSITION_X)); +- libevdev_set_abs_info(evdev, ABS_Y, ++ libevdev_enable_event_code(evdev, EV_ABS, ABS_Y, + libevdev_get_abs_info(evdev, ABS_MT_POSITION_Y)); + } + +-- +2.3.4 + diff --git a/0002-evdev-fix-handling-of-fake-MT-devices-without-ABS_X-.patch b/0002-evdev-fix-handling-of-fake-MT-devices-without-ABS_X-.patch new file mode 100644 index 0000000..9d9e9a8 --- /dev/null +++ b/0002-evdev-fix-handling-of-fake-MT-devices-without-ABS_X-.patch @@ -0,0 +1,94 @@ +From a0834969d166285714bf18041044aa23a38a8413 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 8 Apr 2015 08:11:54 +1000 +Subject: [PATCH libinput] evdev: fix handling of fake MT devices without + ABS_X/Y + +The previous code didn't handle fake MT devices without ABS_X/Y axes at all +(like the Razer BlackWidow keyboard). Those devices usually start at ABS_MISC +and go up to ABS_MAX, thus triggering the Android check. + +Split the condition up: if the device is not a fake MT device we check for the +Android missing axes first and add them. Then we proceed, but now we know that +the ABS_X axis must exist. + +https://bugs.freedesktop.org/show_bug.cgi?id=89783 + +Signed-off-by: Peter Hutterer +--- + src/evdev.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/src/evdev.c b/src/evdev.c +index 115dc99..1712a8d 100644 +--- a/src/evdev.c ++++ b/src/evdev.c +@@ -1374,6 +1374,10 @@ evdev_fix_abs_resolution(struct evdev_device *device, + return 0; + } + ++ if (!libevdev_has_event_code(evdev, EV_ABS, xcode) || ++ !libevdev_has_event_code(evdev, EV_ABS, ycode)) ++ return 0; ++ + absx = libevdev_get_abs_info(evdev, xcode); + absy = libevdev_get_abs_info(evdev, ycode); + +@@ -1431,6 +1435,18 @@ evdev_device_get_udev_tags(struct evdev_device *device, + return tags; + } + ++/* Fake MT devices have the ABS_MT_SLOT bit set because of ++ the limited ABS_* range - they aren't MT devices, they ++ just have too many ABS_ axes */ ++static inline bool ++evdev_is_fake_mt_device(struct evdev_device *device) ++{ ++ struct libevdev *evdev = device->evdev; ++ ++ return libevdev_has_event_code(evdev, EV_ABS, ABS_MT_SLOT) && ++ libevdev_get_num_slots(evdev) == -1; ++} ++ + static inline void + evdev_fix_android_mt(struct evdev_device *device) + { +@@ -1441,7 +1457,8 @@ evdev_fix_android_mt(struct evdev_device *device) + return; + + if (!libevdev_has_event_code(evdev, EV_ABS, ABS_MT_POSITION_X) || +- !libevdev_has_event_code(evdev, EV_ABS, ABS_MT_POSITION_Y)) ++ !libevdev_has_event_code(evdev, EV_ABS, ABS_MT_POSITION_Y) || ++ !evdev_is_fake_mt_device(device)) + return; + + libevdev_enable_event_code(evdev, EV_ABS, ABS_X, +@@ -1611,10 +1628,10 @@ evdev_configure_device(struct evdev_device *device) + return -1; + } + +- if (libevdev_has_event_code(evdev, EV_ABS, ABS_X) || +- libevdev_has_event_code(evdev, EV_ABS, ABS_MT_POSITION_X)) { ++ if (!evdev_is_fake_mt_device(device)) + evdev_fix_android_mt(device); + ++ if (libevdev_has_event_code(evdev, EV_ABS, ABS_X)) { + if (evdev_fix_abs_resolution(device, + ABS_X, + ABS_Y, +@@ -1624,11 +1641,7 @@ evdev_configure_device(struct evdev_device *device) + device->abs.absinfo_x = libevdev_get_abs_info(evdev, ABS_X); + device->abs.absinfo_y = libevdev_get_abs_info(evdev, ABS_Y); + +- /* Fake MT devices have the ABS_MT_SLOT bit set because of +- the limited ABS_* range - they aren't MT devices, they +- just have too many ABS_ axes */ +- if (libevdev_has_event_code(evdev, EV_ABS, ABS_MT_SLOT) && +- libevdev_get_num_slots(evdev) == -1) { ++ if (evdev_is_fake_mt_device(device)) { + udev_tags &= ~EVDEV_UDEV_TAG_TOUCHSCREEN; + } else if (evdev_configure_mt_device(device) == -1) { + return -1; +-- +2.3.4 + diff --git a/libinput.spec b/libinput.spec index 6cf9d58..f068374 100644 --- a/libinput.spec +++ b/libinput.spec @@ -5,7 +5,7 @@ Name: libinput Version: 0.13.0 -Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Release: 2%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} Summary: Input device library License: MIT @@ -18,6 +18,9 @@ Source2: commitid Source0: http://www.freedesktop.org/software/libinput/libinput-%{version}.tar.xz %endif +Patch01: 0001-evdev-fix-crash-for-missing-ABS_X-Y.patch +Patch02: 0002-evdev-fix-handling-of-fake-MT-devices-without-ABS_X-.patch + BuildRequires: git BuildRequires: autoconf automake libtool pkgconfig BuildRequires: libevdev-devel @@ -84,6 +87,9 @@ find $RPM_BUILD_ROOT -name '*.la' -delete %changelog +* Wed Apr 08 2015 Peter Hutterer 0.13.0-2 +- Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574) + * Tue Mar 24 2015 Peter Hutterer 0.13.0-1 - libinput 0.13.0