From 9804384192c9914140a69a7e2b31d5912360ea99 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Wed, 5 Feb 2014 07:45:57 +1000 Subject: [PATCH] Prevent out-of-bounds access in check_butmap_change (#1061466) --- ...tate-check-before-changing-a-button-.patch | 37 +++++++++++++++++++ xorg-x11-server.spec | 8 +++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 0001-dix-fix-button-state-check-before-changing-a-button-.patch diff --git a/0001-dix-fix-button-state-check-before-changing-a-button-.patch b/0001-dix-fix-button-state-check-before-changing-a-button-.patch new file mode 100644 index 0000000..3fcd74c --- /dev/null +++ b/0001-dix-fix-button-state-check-before-changing-a-button-.patch @@ -0,0 +1,37 @@ +From 554814642e7c927d0c10cdc8a33067c076b159ed Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 24 Jan 2014 18:16:54 +1000 +Subject: [PATCH 1/3] dix: fix button state check before changing a button + mapping + +dev->button->down is a bitmask, not a normal array. Use the helper function to +check, we technically allow the mapping to change after the physical button +has been pressed (but not yet processed yet), so only check BUTTON_PROCESSED. + +From XSetPointerMapping(3): +"If any of the buttons to be altered are logically in the down state, +XSetPointerMapping returns MappingBusy, and the mapping is not changed." + +Reported-by: Ilja Van Sprundel +Signed-off-by: Peter Hutterer +--- + dix/inpututils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dix/inpututils.c b/dix/inpututils.c +index 3e1d75f..0cbb02b 100644 +--- a/dix/inpututils.c ++++ b/dix/inpututils.c +@@ -60,7 +60,8 @@ check_butmap_change(DeviceIntPtr dev, CARD8 *map, int len, CARD32 *errval_out, + } + + for (i = 0; i < len; i++) { +- if (dev->button->map[i + 1] != map[i] && dev->button->down[i + 1]) ++ if (dev->button->map[i + 1] != map[i] && ++ button_is_down(dev, i + 1, BUTTON_PROCESSED)) + return MappingBusy; + } + +-- +1.8.4.2 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 59a1ea2..aefe162 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.15.0 -Release: 2%{?gitdate:.%{gitdate}}%{dist} +Release: 3%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -141,6 +141,9 @@ Patch9002: 0001-xwayland-Just-send-the-bounding-box-of-the-damage.patch # submitted: http://lists.x.org/archives/xorg-devel/2013-October/037996.html Patch9100: exa-only-draw-valid-trapezoids.patch +# in pull request http://patchwork.freedesktop.org/patch/19468/ +Patch9103: 0001-dix-fix-button-state-check-before-changing-a-button-.patch + %global moduledir %{_libdir}/xorg/modules %global drimoduledir %{_libdir}/dri %global sdkdir %{_includedir}/xorg @@ -636,6 +639,9 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Wed Feb 05 2014 Peter Hutterer 1.15.0-3 +- Prevent out-of-bounds access in check_butmap_change (#1061466) + * Tue Jan 14 2014 Adam Jackson 1.15.0-2 - exa-only-draw-valid-trapezoids.patch: Fix crash in exa.