From d62ea486b4914bdc261feb4e6523c15edce26575 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Mon, 27 Oct 2008 00:56:04 +0000 Subject: [PATCH] * Mon Oct 27 2008 Peter Hutterer 1.5.2-9 - xserver-1.5.2-more-sanity-checks.patch: more sanity checks to stop vmmouse from segfaulting the server. #434807 --- xorg-x11-server.spec | 9 +++++- xserver-1.5.2-more-sanity-checks.patch | 43 ++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 xserver-1.5.2-more-sanity-checks.patch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index a539e0d..fb478c1 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -19,7 +19,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.5.2 -Release: 8%{?dist} +Release: 9%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -95,6 +95,9 @@ Patch6010: xserver-1.5.2-no-duplicate-devices.patch # exa performance fix Patch6011: xserver-1.5.2-exa-sync-less.patch +# Bug 434807 +Patch6012: xserver-1.5.2-more-sanity-checks.patch + %define moduledir %{_libdir}/xorg/modules %define drimoduledir %{_libdir}/dri %define sdkdir %{_includedir}/xorg @@ -525,6 +528,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Oct 27 2008 Peter Hutterer 1.5.2-9 +- xserver-1.5.2-more-sanity-checks.patch: more sanity checks to stop vmmouse + from segfaulting the server. #434807 + * Wed Oct 22 2008 Peter Hutterer - Update xserver-1.5.2-disable-kbd-mouse.patch: add line to xorg.conf man-page stating that devices are disabled if AEI is on. diff --git a/xserver-1.5.2-more-sanity-checks.patch b/xserver-1.5.2-more-sanity-checks.patch new file mode 100644 index 0000000..f9fda89 --- /dev/null +++ b/xserver-1.5.2-more-sanity-checks.patch @@ -0,0 +1,43 @@ +From 30c077f228f563e4e1f4115b345577d9fd393b68 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 24 Oct 2008 15:06:49 +1030 +Subject: [PATCH] dix: extra sanity-checks against potential NULL-dereferences. #434807 + +Two minor code paths could potentially crash the server: +- if scr is NULL, we shouldn't try to dereference it. +- if GPE is called with buttons != 0 but the event is not a + ButtonPress or ButtonRelease, the button mapping may dereference a NULL + pointer. + +Admittedly the second should never happen, but better to guard against it. +--- + dix/getevents.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/dix/getevents.c b/dix/getevents.c +index 1e0edbf..923744d 100644 +--- a/dix/getevents.c ++++ b/dix/getevents.c +@@ -537,6 +537,9 @@ GetPointerEvents(xEvent *events, DeviceIntPtr pDev, int type, int buttons, + ScreenPtr scr = miPointerGetScreen(pDev); + + /* Sanity checks. */ ++ if (!scr) ++ return 0; ++ + if (type != MotionNotify && type != ButtonPress && type != ButtonRelease) + return 0; + +@@ -548,6 +551,9 @@ GetPointerEvents(xEvent *events, DeviceIntPtr pDev, int type, int buttons, + if (!pDev->valuator) + return 0; + ++ if (buttons && !pDev->button) ++ return 0; ++ + if (!coreOnly && pDev->coreEvents) + num_events = 2; + else +-- +1.6.0.3 +