Prevent out-of-bounds access in check_butmap_change (#1061466)

2014-02-05 07:45:57 +10:00 · 2014-02-05 07:45:57 +10:00 · 9804384192
commit 9804384192
parent 0988cc4f36
2 changed files with 44 additions and 1 deletions
--- a/0001-dix-fix-button-state-check-before-changing-a-button-.patch
+++ b/0001-dix-fix-button-state-check-before-changing-a-button-.patch
@ -0,0 +1,37 @@
+From 554814642e7c927d0c10cdc8a33067c076b159ed Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 24 Jan 2014 18:16:54 +1000
+Subject: [PATCH 1/3] dix: fix button state check before changing a button
+ mapping
+
+dev->button->down is a bitmask, not a normal array. Use the helper function to
+check, we technically allow the mapping to change after the physical button
+has been pressed (but not yet processed yet), so only check BUTTON_PROCESSED.
+
+From XSetPointerMapping(3):
+"If any of the buttons to be altered are logically in the down state,
+XSetPointerMapping returns MappingBusy, and the mapping is not changed."
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/inpututils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dix/inpututils.c b/dix/inpututils.c
+index 3e1d75f..0cbb02b 100644
+--- a/dix/inpututils.c
+++ b/dix/inpututils.c
+@@ -60,7 +60,8 @@ check_butmap_change(DeviceIntPtr dev, CARD8 *map, int len, CARD32 *errval_out,
+     }
+ 
+     for (i = 0; i < len; i++) {
+-        if (dev->button->map[i + 1] != map[i] && dev->button->down[i + 1])
+        if (dev->button->map[i + 1] != map[i] &&
+            button_is_down(dev, i + 1, BUTTON_PROCESSED))
+             return MappingBusy;
+     }
+ 
+-- 
+1.8.4.2
+
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -42,7 +42,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.15.0
-Release:   2%{?gitdate:.%{gitdate}}%{dist}
+Release:   3%{?gitdate:.%{gitdate}}%{dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -141,6 +141,9 @@ Patch9002: 0001-xwayland-Just-send-the-bounding-box-of-the-damage.patch
 # submitted: http://lists.x.org/archives/xorg-devel/2013-October/037996.html
 Patch9100: exa-only-draw-valid-trapezoids.patch

+# in pull request http://patchwork.freedesktop.org/patch/19468/
+Patch9103: 0001-dix-fix-button-state-check-before-changing-a-button-.patch
+
 %global moduledir	%{_libdir}/xorg/modules
 %global drimoduledir	%{_libdir}/dri
 %global sdkdir		%{_includedir}/xorg
@ -636,6 +639,9 @@ rm -rf $RPM_BUILD_ROOT
 %{xserver_source_dir}

 %changelog
+* Wed Feb 05 2014 Peter Hutterer <peter.hutterer@redhat.com> 1.15.0-3
+- Prevent out-of-bounds access in check_butmap_change (#1061466)
+
 * Tue Jan 14 2014 Adam Jackson <ajax@redhat.com> 1.15.0-2
 - exa-only-draw-valid-trapezoids.patch: Fix crash in exa.