From bbf4fe102fb67ed43fe57df085c40de525b8f4c0 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Thu, 25 Oct 2012 15:03:50 +0200
Subject: [PATCH] Sync TouchListener memory allocation with population in
 TouchSetupListeners()

The allocated TouchListener array may fall short by 1 if hitting the worst case
situation where there's an active grab, passive grabs on each window in the
sprite trace and event selection for touch in one of the windows. This may lead
to memory corruptions as the array is overflown.

Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/touch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dix/touch.c b/dix/touch.c
index e64a626..5f77be5 100644
--- a/dix/touch.c
+++ b/dix/touch.c
@@ -572,8 +572,8 @@ TouchBuildSprite(DeviceIntPtr sourcedev, TouchPointInfoPtr ti,
         return FALSE;
 
     /* Mark which grabs/event selections we're delivering to: max one grab per
-     * window plus the bottom-most event selection. */
-    ti->listeners = calloc(sprite->spriteTraceGood + 1, sizeof(*ti->listeners));
+     * window plus the bottom-most event selection, plus any active grab. */
+    ti->listeners = calloc(sprite->spriteTraceGood + 2, sizeof(*ti->listeners));
     if (!ti->listeners) {
         sprite->spriteTraceGood = 0;
         return FALSE;
-- 
1.7.11.7