Age | Commit message (Collapse) | Author |
|
_XIPassiveGrabDevice calls LockDisplay as the first thing it does. That
means that it expects the display to be unlocked. XIGrabTouchBegin locks
the display to check for the XI extension, and then never unlocks it.
Effectively, this meant that anybody that called XIGrabTouchBegin after
XInitThreads just got a deadlock.
Cool.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
The code here before would just leave the display locked on error, which is
all sorts of broken.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
clang warns:
warning: comparison of constant 268435455 with expression of type
'CARD16' (aka 'unsigned short') is always false
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If we skip over the reply data, return 0 as number of event classes.
Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
size += blah is technically correct but it implies that we're looping or
otherwise incrementing the size. Which we don't, it's only ever set once.
Change this to avoid reviewer confusion.
Reported-by: Dave "color-me-confused" Airlie <airlied@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
First: check for allocation failure on the mask.
XI2 requires that the mask is zeroed, so we can't just Data() the mask
provided by the client (it will pad) - we need a tmp buffer. Make sure that
doesn't fail.
Second:
req->mask_len is a uint16_t, so check against malicious mask_lens that would
cause us to corrupt memory on copy, as the code always allocates
req->mask_len * 4, but copies mask->mask_len bytes.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
serial != sequenceNumber, see _XSetLastRequestRead()
cookie->serial is already set at this point, setting it again directly from
the sequenceNumber of the event causes a bunch of weird issues such as
scrollbars and text drag-n-drop breaking.
https://bugzilla.redhat.com/show_bug.cgi?id=965347
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
nptr is (signed) char, which can be negative, and will sign extend
when added to the int size, which means size can be subtracted from,
leading to allocating too small a buffer to hold the data being copied
from the X server's reply.
v2: check that string size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the length of the reply as reported by the Xserver is too long, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of items as reported by the Xserver is too large, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of items reported by the server is large enough that
it overflows when multiplied by the size of the appropriate item type,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold. HULK SMASH STACK!
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Unpacking from the wire involves un-interleaving the structs & masks,
which wasn't obvious to me the first time I read it, so make notes
before I forget again.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
The PointerBarrier typedef is duplicate if a client includes both Xfixes.h
and XInput2.h.
gcc 4.6 won't complain about that, but earlier versions do:
http://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=ce3765bf44e49ef0568a1ad4a0b7f807591d6412
gcc 4.6 with -pedantic-errors shows:
/opt/xorg/include/X11/extensions/XInput2.h:172:13: error: redefinition of
typedef ‘PointerBarrier’ [-pedantic]
In file included from test.c:1:0:
/opt/xorg/include/X11/extensions/Xfixes.h:255:13: note: previous declaration
of ‘PointerBarrier’ was here
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Looks like XI_RawTouch* events are missing in the big switch in this function.
When running XIT tests for multitouch devices, several following errors appears:
XInputCopyCookie: Failed to copy evtype 22
XInputCopyCookie: Failed to copy evtype 23
XInputCopyCookie: Failed to copy evtype 24
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Jasper St. Pierre <jstpierre@mecheye.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XExtInt.c:80:38: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
XExtInt.c:150:5: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
XExtInt.c:151:5: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
XExtInt.c:152:5: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
XExtInt.c:153:5: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
XExtInt.c:154:5: warning: initialization discards 'const' qualifier from
pointer target type [enabled by default]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
|
|
XIQueryVersion.c: In function '_xiQueryVersion':
XIQueryVersion.c:63:26: warning: declaration of 'info' shadows a parameter
[-Wshadow]
XIQueryVersion.c:53:73: warning: shadowed declaration is here [-Wshadow]
XExtInt.c: In function 'XInputWireToEvent':
XExtInt.c:823:25: warning: declaration of 'i' shadows a previous local
[-Wshadow]
XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow]
XExtInt.c:850:25: warning: declaration of 'i' shadows a previous local
[-Wshadow]
XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:166:17: note: previous declaration of
'_xidevicebusy' was here
XExtInt.c:101:12: warning: redundant redeclaration of
'_XiGetDevicePresenceNotifyEvent' [-Wredundant-decls]
XExtInt.c:76:13: warning: redundant redeclaration of '_xibaddevice'
[-Wredundant-decls]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:162:17: note: previous declaration of
'_xibaddevice' was here
XExtInt.c:81:13: warning: redundant redeclaration of '_xibadclass'
[-Wredundant-decls]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:163:17: note: previous declaration of
'_xibadclass' was here
XExtInt.c:86:13: warning: redundant redeclaration of '_xibadevent'
[-Wredundant-decls]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:164:17: note: previous declaration of
'_xibadevent' was here
XExtInt.c:91:13: warning: redundant redeclaration of '_xibadmode'
[-Wredundant-decls]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:165:17: note: previous declaration of
'_xibadmode' was here
XExtInt.c:96:13: warning: redundant redeclaration of '_xidevicebusy'
[-Wredundant-decls]
In file included from XExtInt.c:64:0:
../include/X11/extensions/XInput.h:166:17: note: previous declaration of
'_xidevicebusy' was here
XListDev.c: In function 'ParseClassInfo':
XListDev.c:116:33: warning: declaration of 'k' shadows a previous local
[-Wshadow]
XListDev.c:109:12: warning: shadowed declaration is here [-Wshadow]
XGetFCtl.c: In function 'XGetFeedbackControl':
XGetFCtl.c:184:26: warning: declaration of 'i' shadows a previous local
[-Wshadow]
XGetFCtl.c:72:17: warning: shadowed declaration is here [-Wshadow]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
|
|
The extension record is currently leaked and never freed.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XI 2.2 and later include the sourceid in raw events.
X.Org Bug 34240 <http://bugs.freedesktop.org/show_bug.cgi?id=34240>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
No functional changes, this simply introduces a version helper function that
returns -1, 0 or 1 depending on the version comparison result. To be used
internally only.
Needed for fix to #34240
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
Regression introduced in c1a5a70b51f12dedf354102217c7cd4247ed3a4b.
If double-padding is applied, the length of the mask on the wire may be
smaller than libXi's mask_len. When copying, only the wire length must be
copied, with the remainder set to 0.
When advancing to the button labels, the wire length matters, not libXi's
internal length.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
This fixes scroll class increment values on 32-bit machines. Performing
1UL << 32 shifts the bit off the end of a 32-bit unsigned long value. By
expanding to 1ULL, we have the full 64-bits of an unsigned long long
including on 32-bit machines.
Before this change, xinput list --long would output scroll increment
values of -nan.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XIValuatorClassInfo and XIScrollClassInfo might have an address
of 4 bytes modulo 8, while they contain doubles which need 8 byte
alignment. This is fixed by adding extra padding after each structure
or array in sizeDeviceClassType and adding helper functions to
determine sizes and padding only in one place.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=38331
Signed-off-by: Michał Masłowski <mtjm@mtjm.eu>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
inputproto 2.1.99.6 restored the previous request for ABI compatibility
reasons, and it introduced a new XI 2.2 specific define.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
Calculate length field to a multiples of sizeof(XID). XIDs are typedefs
to ulong and thus may be 8 bytes on some platforms. This can trigger a
SIGBUS if a class ends up not being 8-aligned (e.g. after XAxisInfo).
Reported-by: Nicolai Stange <nicolai.stange@zmaw.de>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
|
|
Adds support for the new TouchClass for multitouch-capable servers/devices.
New events:
XITouchOwnershipEvent
New event types handled:
XITouchBegin, XITouchUpdate, XITouchEnd
XIRawTouchBegin, XIRawTouchUpdate, XIRawTouchEnd
New functions:
XIGrabTouchBegin ... passive grabs on touches
XIUngrabTouchBegin
XIAllowTouchEvents ... Allow/reject touch event sequences
New XIQueryDevice classes:
XITouchClassInfo
Requires libX11 1.5 for GetReqSized
Co-authored by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Xmalloc is a macro evaluating its argument twice.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
sizeof(bla * sizeof()) is'nt right.
Plus add some () to the next_block call too to emphasise that *nclasses is
the multiplicator.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
A few lines south from here we malloc lib->classes, this assignment is a
leftover from 225071e2e67fb65a0258397212f9826c9b25e078.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
|
|
No functional changes, just clarifying the code. If we skip over unknown
classes, lib->num_classes != wire->num_classe. Use a separate variable to
make that change more explicit and align the code closer with
wireToDeviceChangedEvent.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
|
|
This addresses a build failure found by the tinderbox.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Add the required constants to pretend to support XI 2.1.
Having named constants for 2.1 seems a bit pointless, so let's just use the
numbers directly.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
If the server sends an unknown device class in response to an XIQueryDevice
call, no memory is allocated for these classes but we still write type
and sourceid as well as setting to->classes[i]. The latter causes multiple
classes to point to the same memory field.
Move the common code of assigning these three into the respective class type
handlers so to automatically skip any unknown classes.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Otherwise we run into the old problem again: recompiling libXi against
newer inputproto headers will appear to change the version support,
potentially causing errors or other misbehaviours.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
These defines are currently defined in XI.h and XI2.h. Their only use is as
offset into a library-internal array. Add them to XIint.h to have them where
they belong.
These defines do not have any effect on the protocol. They are simply
offsets into an array for libXi-specific version checking. The defines are
added to this header for readability, given that we cannot remove them from
the protocol without potentially breaking clients (who should never use
these anyway, but...) means they will never get hit.
Future defines for these offsets will only be added to libXi, not the
protocol.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Data32 takes and iterates over an array of longs, thus skipping every 4
bytes on LP64. Here we only have arrays of ints, use the normal Data macro
instead.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|