| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
serial != sequenceNumber, see _XSetLastRequestRead()
cookie->serial is already set at this point, setting it again directly from
the sequenceNumber of the event causes a bunch of weird issues such as
scrollbars and text drag-n-drop breaking.
https://bugzilla.redhat.com/show_bug.cgi?id=965347
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9)
|
|
nptr is (signed) char, which can be negative, and will sign extend
when added to the int size, which means size can be subtracted from,
leading to allocating too small a buffer to hold the data being copied
from the X server's reply.
v2: check that string size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81b4df8ac6aa1520c41c3526961014a6f115cc46)
|
|
If the length of the reply as reported by the Xserver is too long, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ef82512288d8ca36ac0beeb289f158195b0a8cae)
|
|
If the number of items as reported by the Xserver is too large, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c)
|
|
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845)
|
|
If the number of items reported by the server is large enough that
it overflows when multiplied by the size of the appropriate item type,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 242f92b490a695fbab244af5bad11b71f897c732)
|
|
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bb922ed4253b35590f0369f32a917ff89ade0830)
|
|
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff)
|
|
If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 322ee3576789380222d4403366e4fd12fb24cb6a)
|
|
If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec)
|
|
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 5398ac0797f7516f2c9b8f2869a6c6d071437352)
|
|
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 91434737f592e8f5cc1762383882a582b55fc03a)
|
|
We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold. HULK SMASH STACK!
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f3e08e4fbe40016484ba795feecf1a742170ffc1)
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 59b8e1388a687f871831ac5a9e0ac11de75e2516)
|
|
X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
(cherry picked from commit 5d43d4914dcabb6de69859567061e99300e56ef4)
Conflicts:
src/XExtInt.c
|
|
Unpacking from the wire involves un-interleaving the structs & masks,
which wasn't obvious to me the first time I read it, so make notes
before I forget again.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bb82c72a1d69eaf60b7586570faf797df967f661)
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Looks like XI_RawTouch* events are missing in the big switch in this function.
When running XIT tests for multitouch devices, several following errors appears:
XInputCopyCookie: Failed to copy evtype 22
XInputCopyCookie: Failed to copy evtype 23
XInputCopyCookie: Failed to copy evtype 24
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 236be512c81b76dad711bec481e2139584006c4c)
|
|
The man page itself already contained the description, but it was missing
from NAME so the shadow man pages were not generated.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@ubuntu.com>
(cherry picked from commit 845550471fcd95d77e8d738ab8798d8e6e568b4a)
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 8c0eb1b6b4017b1e886981dc32cea90f2d4b9b64)
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XIQueryVersion(v1);
XIQueryVersion(v2);
is now ok as long as v1 <= v2.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
The extension record is currently leaked and never freed.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XI 2.2 and later include the sourceid in raw events.
X.Org Bug 34240 <http://bugs.freedesktop.org/show_bug.cgi?id=34240>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
No functional changes, this simply introduces a version helper function that
returns -1, 0 or 1 depending on the version comparison result. To be used
internally only.
Needed for fix to #34240
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
Regression introduced in c1a5a70b51f12dedf354102217c7cd4247ed3a4b.
If double-padding is applied, the length of the mask on the wire may be
smaller than libXi's mask_len. When copying, only the wire length must be
copied, with the remainder set to 0.
When advancing to the button labels, the wire length matters, not libXi's
internal length.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
This fixes scroll class increment values on 32-bit machines. Performing
1UL << 32 shifts the bit off the end of a 32-bit unsigned long value. By
expanding to 1ULL, we have the full 64-bits of an unsigned long long
including on 32-bit machines.
Before this change, xinput list --long would output scroll increment
values of -nan.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XIValuatorClassInfo and XIScrollClassInfo might have an address
of 4 bytes modulo 8, while they contain doubles which need 8 byte
alignment. This is fixed by adding extra padding after each structure
or array in sizeDeviceClassType and adding helper functions to
determine sizes and padding only in one place.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=38331
Signed-off-by: Michał Masłowski <mtjm@mtjm.eu>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
inputproto 2.1.99.6 restored the previous request for ABI compatibility
reasons, and it introduced a new XI 2.2 specific define.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
Calculate length field to a multiples of sizeof(XID). XIDs are typedefs
to ulong and thus may be 8 bytes on some platforms. This can trigger a
SIGBUS if a class ends up not being 8-aligned (e.g. after XAxisInfo).
Reported-by: Nicolai Stange <nicolai.stange@zmaw.de>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Cyril Brulebois <kibi@debian.org>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Conflicts:
configure.ac
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Adds support for the new TouchClass for multitouch-capable servers/devices.
New events:
XITouchOwnershipEvent
New event types handled:
XITouchBegin, XITouchUpdate, XITouchEnd
XIRawTouchBegin, XIRawTouchUpdate, XIRawTouchEnd
New functions:
XIGrabTouchBegin ... passive grabs on touches
XIUngrabTouchBegin
XIAllowTouchEvents ... Allow/reject touch event sequences
New XIQueryDevice classes:
XITouchClassInfo
Requires libX11 1.5 for GetReqSized
Co-authored by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Xmalloc is a macro evaluating its argument twice.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
sizeof(bla * sizeof()) is'nt right.
Plus add some () to the next_block call too to emphasise that *nclasses is
the multiplicator.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Reword slightly that the returned value is the error code for this
particular grab.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Reported-by: Matthias Clasen <mclasen@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
A few lines south from here we malloc lib->classes, this assignment is a
leftover from 225071e2e67fb65a0258397212f9826c9b25e078.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
<title> or <funcdef> string it goes with.
2 - fix any <linkend>'s that were affected by 1.
3 - any <function> in the docs that has an actual funcdef,
will become an olink.
Signed-off-by: Matt Dew <marcoz@osource.org>
|
