* Mon Oct 27 2008 Peter Hutterer <peter.hutterer@redhat.com> 1.5.2-9

- xserver-1.5.2-more-sanity-checks.patch: more sanity checks to stop vmmouse from segfaulting the server. #434807
2008-10-27 00:56:04 +00:00 · 2008-10-27 00:56:04 +00:00 · d62ea486b4
commit d62ea486b4
parent 50cbe3972b
2 changed files with 51 additions and 1 deletions
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -19,7 +19,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.5.2
-Release:   8%{?dist}
+Release:   9%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -95,6 +95,9 @@ Patch6010: xserver-1.5.2-no-duplicate-devices.patch
 # exa performance fix
 Patch6011: xserver-1.5.2-exa-sync-less.patch

+# Bug 434807
+Patch6012: xserver-1.5.2-more-sanity-checks.patch
+
 %define moduledir	%{_libdir}/xorg/modules
 %define drimoduledir	%{_libdir}/dri
 %define sdkdir		%{_includedir}/xorg
@ -525,6 +528,10 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Mon Oct 27 2008 Peter Hutterer <peter.hutterer@redhat.com> 1.5.2-9
+- xserver-1.5.2-more-sanity-checks.patch: more sanity checks to stop vmmouse
+  from segfaulting the server. #434807
+
 * Wed Oct 22 2008 Peter Hutterer <peter.hutterer@redhat.com>
 - Update xserver-1.5.2-disable-kbd-mouse.patch: add line to xorg.conf man-page
  stating that devices are disabled if AEI is on.
--- a/xserver-1.5.2-more-sanity-checks.patch
+++ b/xserver-1.5.2-more-sanity-checks.patch
@ -0,0 +1,43 @@
+From 30c077f228f563e4e1f4115b345577d9fd393b68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@redhat.com>
+Date: Fri, 24 Oct 2008 15:06:49 +1030
+Subject: [PATCH] dix: extra sanity-checks against potential NULL-dereferences. #434807
+
+Two minor code paths could potentially crash the server:
+- if scr is NULL, we shouldn't try to dereference it.
+- if GPE is called with buttons != 0 but the event is not a
+  ButtonPress or ButtonRelease, the button mapping may dereference a NULL
+  pointer.
+
+Admittedly the second should never happen, but better to guard against it.
+---
+ dix/getevents.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/dix/getevents.c b/dix/getevents.c
+index 1e0edbf..923744d 100644
+--- a/dix/getevents.c
+++ b/dix/getevents.c
+@@ -537,6 +537,9 @@ GetPointerEvents(xEvent *events, DeviceIntPtr pDev, int type, int buttons,
+     ScreenPtr scr = miPointerGetScreen(pDev);
+ 
+     /* Sanity checks. */
+    if (!scr)
+        return 0;
+
+     if (type != MotionNotify && type != ButtonPress && type != ButtonRelease)
+         return 0;
+ 
+@@ -548,6 +551,9 @@ GetPointerEvents(xEvent *events, DeviceIntPtr pDev, int type, int buttons,
+     if (!pDev->valuator)
+         return 0;
+ 
+    if (buttons && !pDev->button)
+        return 0;
+
+     if (!coreOnly && pDev->coreEvents)
+         num_events = 2;
+     else
+-- 
+1.6.0.3
+