summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-07-18libXi 1.7.4libXi-1.7.4Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-07-14Fix locking bugs with XIAllowTouchEvents() and XIUngrabTouchBegin()Owen W. Taylor
Fix two places where the display was double locked when an API function chained to an implementation that also locks the display. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-07-10libXi 1.7.3libXi-1.7.3Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-07-10XIPassiveGrab: Fix completely broken locking in XIGrabTouchBeginJasper St. Pierre
_XIPassiveGrabDevice calls LockDisplay as the first thing it does. That means that it expects the display to be unlocked. XIGrabTouchBegin locks the display to check for the XI extension, and then never unlocks it. Effectively, this meant that anybody that called XIGrabTouchBegin after XInitThreads just got a deadlock. Cool. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-07-10XIPassiveGrab: Fix display locking inside _XIPassiveGrabDevice for error pathsJasper St. Pierre
The code here before would just leave the display locked on error, which is all sorts of broken. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-11-25Remove fallback for _XEatDataWords, require libX11 1.6 for itMichael Joost
_XEatDataWords was orignally introduced with the May 2013 security patches, and in order to ease the process of delivering those, fallback versions of _XEatDataWords were included in the X extension library patches so they could be applied to older versions that didn't have libX11 1.6 yet. Now that we're past that hurdle, we can drop the fallbacks and just require libX11 1.6 for building new versions of the extension libraries. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-07-26man: Update XIQueryVersion docs to match new version compatibility semanticsKeith Packard
The X server now allows clients to specify any combination of versions starting with version 2.2, document how that works. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-07-03libXi 1.7.2libXi-1.7.2Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-28Remove check that can never be true.Thomas Klausner
clang warns: warning: comparison of constant 268435455 with expression of type 'CARD16' (aka 'unsigned short') is always false Signed-off-by: Thomas Klausner <wiz@NetBSD.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-27libXi 1.7.1.901libXi-1.7.1.901Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-27Include limits.h to prevent build error: missing INT_MAXPeter Hutterer
Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-27If the XGetDeviceDontPropagateList reply has an invalid length, return 0Peter Hutterer
If we skip over the reply data, return 0 as number of event classes. Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-27Change size += to size = in XGetDeviceControlPeter Hutterer
size += blah is technically correct but it implies that we're looping or otherwise incrementing the size. Which we don't, it's only ever set once. Change this to avoid reviewer confusion. Reported-by: Dave "color-me-confused" Airlie <airlied@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-06-27Fix potential corruption in mask_len handlingPeter Hutterer
First: check for allocation failure on the mask. XI2 requires that the mask is zeroed, so we can't just Data() the mask provided by the client (it will pad) - we need a tmp buffer. Make sure that doesn't fail. Second: req->mask_len is a uint16_t, so check against malicious mask_lens that would cause us to corrupt memory on copy, as the code always allocates req->mask_len * 4, but copies mask->mask_len bytes. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-24Don't overwrite the cookies serial numberPeter Hutterer
serial != sequenceNumber, see _XSetLastRequestRead() cookie->serial is already set at this point, setting it again directly from the sequenceNumber of the event causes a bunch of weird issues such as scrollbars and text drag-n-drop breaking. https://bugzilla.redhat.com/show_bug.cgi?id=965347 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23sign extension issue in XListInputDevices() [CVE-2013-1995]Alan Coopersmith
nptr is (signed) char, which can be negative, and will sign extend when added to the int size, which means size can be subtracted from, leading to allocating too small a buffer to hold the data being copied from the X server's reply. v2: check that string size fits inside the data read from the server, so that we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]Alan Coopersmith
If the length of the reply as reported by the Xserver is too long, it could overflow the calculation for the size of the buffer to copy the reply into, causing memory corruption. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]Alan Coopersmith
If the number of items as reported by the Xserver is too large, it could overflow the calculation for the size of the buffer to copy the reply into, causing memory corruption. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]Alan Coopersmith
If the number of events or masks reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, or the sizes overflow as they are totaled up, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so that we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XIGetProperty() [CVE-2013-1984 5/8]Alan Coopersmith
If the number of items reported by the server is large enough that it overflows when multiplied by the size of the appropriate item type, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]Alan Coopersmith
If the number of events or axes reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]Alan Coopersmith
If the number of event classes reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. V2: EatData if count is 0 but length is > 0 to avoid XIOErrors Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]Alan Coopersmith
If the number of feedbacks reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, or if the total size of all the feedback structures overflows when added together, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]Alan Coopersmith
If the number of valuators reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]Alan Coopersmith
If the lengths given for each class state in the reply add up to more than the rep.length, we could read past the end of the buffer allocated to hold the data read from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]Alan Coopersmith
If the server returned more modifiers than the caller asked for, we'd just keep copying past the end of the array provided by the caller, writing over who-knows-what happened to be there. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]Alan Coopersmith
We copy the entire reply sent by the server into the fixed size mapping[] array on the stack, even if the server says it's a larger size than the mapping array can hold. HULK SMASH STACK! Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Use _XEatDataWords to avoid overflow of rep.length bit shiftingAlan Coopersmith
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-20Copy the sequence number into the target event too (#64687)Peter Hutterer
X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2013-04-30Expand comment on the memory vs. reply ordering in XIGetSelectedEvents()Alan Coopersmith
Unpacking from the wire involves un-interleaving the structs & masks, which wasn't obvious to me the first time I read it, so make notes before I forget again. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-04-05libXi 1.7.1libXi-1.7.1Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-04-05Require XFixes for PointerBarrier, remove duplicate typedefPeter Hutterer
The PointerBarrier typedef is duplicate if a client includes both Xfixes.h and XInput2.h. gcc 4.6 won't complain about that, but earlier versions do: http://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=ce3765bf44e49ef0568a1ad4a0b7f807591d6412 gcc 4.6 with -pedantic-errors shows: /opt/xorg/include/X11/extensions/XInput2.h:172:13: error: redefinition of typedef ‘PointerBarrier’ [-pedantic] In file included from test.c:1:0: /opt/xorg/include/X11/extensions/Xfixes.h:255:13: note: previous declaration of ‘PointerBarrier’ was here Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2013-03-07libXi 1.7libXi-1.7Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-01-15autogen.sh: Implement GNOME Build APIColin Walters
http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-01-15configure: Remove AM_MAINTAINER_MODEAdam Jackson
Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-01-15Add missing XI_RawTouch* in XInputCopyCookieBenjamin Tissoires
Looks like XI_RawTouch* events are missing in the big switch in this function. When running XIT tests for multitouch devices, several following errors appears: XInputCopyCookie: Failed to copy evtype 22 XInputCopyCookie: Failed to copy evtype 23 XInputCopyCookie: Failed to copy evtype 24 Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-26libXi 1.6.99.1libXi-1.6.99.1Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-17Merge branch 'barriers'Peter Hutterer
2012-12-09man: add man-page for XIBarrierReleasePointerPeter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-09Add support for pointer barrier eventsJasper St. Pierre
Signed-off-by: Jasper St. Pierre <jstpierre@mecheye.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-09Bump to 1.6.99Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-10Fix const compiler warningsPeter Hutterer
XExtInt.c:80:38: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:150:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:151:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:152:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:153:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:154:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
2012-12-10Fix compiler warningsPeter Hutterer
XIQueryVersion.c: In function '_xiQueryVersion': XIQueryVersion.c:63:26: warning: declaration of 'info' shadows a parameter [-Wshadow] XIQueryVersion.c:53:73: warning: shadowed declaration is here [-Wshadow] XExtInt.c: In function 'XInputWireToEvent': XExtInt.c:823:25: warning: declaration of 'i' shadows a previous local [-Wshadow] XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow] XExtInt.c:850:25: warning: declaration of 'i' shadows a previous local [-Wshadow] XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:166:17: note: previous declaration of '_xidevicebusy' was here XExtInt.c:101:12: warning: redundant redeclaration of '_XiGetDevicePresenceNotifyEvent' [-Wredundant-decls] XExtInt.c:76:13: warning: redundant redeclaration of '_xibaddevice' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:162:17: note: previous declaration of '_xibaddevice' was here XExtInt.c:81:13: warning: redundant redeclaration of '_xibadclass' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:163:17: note: previous declaration of '_xibadclass' was here XExtInt.c:86:13: warning: redundant redeclaration of '_xibadevent' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:164:17: note: previous declaration of '_xibadevent' was here XExtInt.c:91:13: warning: redundant redeclaration of '_xibadmode' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:165:17: note: previous declaration of '_xibadmode' was here XExtInt.c:96:13: warning: redundant redeclaration of '_xidevicebusy' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:166:17: note: previous declaration of '_xidevicebusy' was here XListDev.c: In function 'ParseClassInfo': XListDev.c:116:33: warning: declaration of 'k' shadows a previous local [-Wshadow] XListDev.c:109:12: warning: shadowed declaration is here [-Wshadow] XGetFCtl.c: In function 'XGetFeedbackControl': XGetFCtl.c:184:26: warning: declaration of 'i' shadows a previous local [-Wshadow] XGetFCtl.c:72:17: warning: shadowed declaration is here [-Wshadow] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
2012-11-09man: add generation of missing man pages for XIGrabTouchBeginPeter Hutterer
The man page itself already contained the description, but it was missing from NAME so the shadow man pages were not generated. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@ubuntu.com>
2012-10-11man: fix formatting issues in XGetDeviceControl(3)Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-05-03libXi 1.6.1libXi-1.6.1Peter Hutterer
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-04-23man: update XIQueryVersion for current server behaviourPeter Hutterer
XIQueryVersion(v1); XIQueryVersion(v2); is now ok as long as v1 <= v2. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2012-04-23Destroy extension record after last display is removedChase Douglas
The extension record is currently leaked and never freed. Signed-off-by: Chase Douglas <chase.douglas@canonical.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-03-26Set the RawEvent sourceid (#34240)Peter Hutterer
XI 2.2 and later include the sourceid in raw events. X.Org Bug 34240 <http://bugs.freedesktop.org/show_bug.cgi?id=34240> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
2012-03-26Move version comparison into a helper function.Peter Hutterer
No functional changes, this simply introduces a version helper function that returns -1, 0 or 1 depending on the version comparison result. To be used internally only. Needed for fix to #34240 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@canonical.com>