Fix from X.Org for CVE-2007-6427 - Xinput extension memory corruption.

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:42:20 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:42:20 +0000
commit: bf7b08310c6daa8271502372e02f116f261b83db (patch)
tree: 6bd850e854d3c64a89a51c5ff92ca8a004e4f85c /xserver/Xi
parent: 1b54a67152537667e0fc3cb0ce8030d4105b919f (diff)
8 files changed, 253 insertions, 222 deletions
diff --git a/xserver/Xi/chgfctl.c b/xserver/Xi/chgfctl.c
index d0acc593b..235d65968 100644
--- a/xserver/Xi/chgfctl.c
+++ b/xserver/Xi/chgfctl.c
@@ -78,9 +78,9 @@ SOFTWARE.
  */
 
 int
-SProcXChangeFeedbackControl(register ClientPtr client)
+SProcXChangeFeedbackControl(ClientPtr client)
 {
-    register char n;
+    char n;
 
     REQUEST(xChangeFeedbackControlReq);
     swaps(&stuff->length, n);
@@ -89,141 +89,17 @@ SProcXChangeFeedbackControl(register ClientPtr client)
     return (ProcXChangeFeedbackControl(client));
 }
 
-/***********************************************************************
- *
- * Change the control attributes.
- *
- */
-
-int
-ProcXChangeFeedbackControl(ClientPtr client)
-{
-    unsigned len;
-    DeviceIntPtr dev;
-    KbdFeedbackPtr k;
-    PtrFeedbackPtr p;
-    IntegerFeedbackPtr i;
-    StringFeedbackPtr s;
-    BellFeedbackPtr b;
-    LedFeedbackPtr l;
-
-    REQUEST(xChangeFeedbackControlReq);
-    REQUEST_AT_LEAST_SIZE(xChangeFeedbackControlReq);
-
-    len = stuff->length - (sizeof(xChangeFeedbackControlReq) >> 2);
-    dev = LookupDeviceIntRec(stuff->deviceid);
-    if (dev == NULL) {
-	SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl, 0,
-			  BadDevice);
-	return Success;
-    }
-
-    switch (stuff->feedbackid) {
-    case KbdFeedbackClass:
-	if (len != (sizeof(xKbdFeedbackCtl) >> 2)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (k = dev->kbdfeed; k; k = k->next)
-	    if (k->ctrl.id == ((xKbdFeedbackCtl *) & stuff[1])->id) {
-		ChangeKbdFeedback(client, dev, stuff->mask, k,
-				  (xKbdFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    case PtrFeedbackClass:
-	if (len != (sizeof(xPtrFeedbackCtl) >> 2)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (p = dev->ptrfeed; p; p = p->next)
-	    if (p->ctrl.id == ((xPtrFeedbackCtl *) & stuff[1])->id) {
-		ChangePtrFeedback(client, dev, stuff->mask, p,
-				  (xPtrFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    case StringFeedbackClass:
-    {
-	register char n;
-	xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]);
-
-	if (client->swapped) {
-	    swaps(&f->num_keysyms, n);
-	}
-	if (len != ((sizeof(xStringFeedbackCtl) >> 2) + f->num_keysyms)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (s = dev->stringfeed; s; s = s->next)
-	    if (s->ctrl.id == ((xStringFeedbackCtl *) & stuff[1])->id) {
-		ChangeStringFeedback(client, dev, stuff->mask, s,
-				     (xStringFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    }
-    case IntegerFeedbackClass:
-	if (len != (sizeof(xIntegerFeedbackCtl) >> 2)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (i = dev->intfeed; i; i = i->next)
-	    if (i->ctrl.id == ((xIntegerFeedbackCtl *) & stuff[1])->id) {
-		ChangeIntegerFeedback(client, dev, stuff->mask, i,
-				      (xIntegerFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    case LedFeedbackClass:
-	if (len != (sizeof(xLedFeedbackCtl) >> 2)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (l = dev->leds; l; l = l->next)
-	    if (l->ctrl.id == ((xLedFeedbackCtl *) & stuff[1])->id) {
-		ChangeLedFeedback(client, dev, stuff->mask, l,
-				  (xLedFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    case BellFeedbackClass:
-	if (len != (sizeof(xBellFeedbackCtl) >> 2)) {
-	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
-			      0, BadLength);
-	    return Success;
-	}
-	for (b = dev->bell; b; b = b->next)
-	    if (b->ctrl.id == ((xBellFeedbackCtl *) & stuff[1])->id) {
-		ChangeBellFeedback(client, dev, stuff->mask, b,
-				   (xBellFeedbackCtl *) & stuff[1]);
-		return Success;
-	    }
-	break;
-    default:
-	break;
-    }
-
-    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl, 0, BadMatch);
-    return Success;
-}
-
 /******************************************************************************
  *
  * This procedure changes KbdFeedbackClass data.
  *
  */
 
-int
+static int
 ChangeKbdFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
 		  KbdFeedbackPtr k, xKbdFeedbackCtl * f)
 {
-    register char n;
+    char n;
     KeybdCtrl kctrl;
     int t;
     int key = DO_ALL;
@@ -351,11 +227,11 @@ ChangeKbdFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
  *
  */
 
-int
+static int
 ChangePtrFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
 		  PtrFeedbackPtr p, xPtrFeedbackCtl * f)
 {
-    register char n;
+    char n;
     PtrCtrl pctrl;	/* might get BadValue part way through */
 
     if (client->swapped) {
@@ -422,12 +298,12 @@ ChangePtrFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
  *
  */
 
-int
+static int
 ChangeIntegerFeedback(ClientPtr client, DeviceIntPtr dev,
 		      long unsigned int mask, IntegerFeedbackPtr i,
 		      xIntegerFeedbackCtl * f)
 {
-    register char n;
+    char n;
 
     if (client->swapped) {
 	swaps(&f->length, n);
@@ -445,24 +321,19 @@ ChangeIntegerFeedback(ClientPtr client, DeviceIntPtr dev,
  *
  */
 
-int
+static int
 ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
 		     long unsigned int mask, StringFeedbackPtr s,
 		     xStringFeedbackCtl * f)
 {
-    register char n;
-    register long *p;
+    char n;
     int i, j;
     KeySym *syms, *sup_syms;
 
     syms = (KeySym *) (f + 1);
     if (client->swapped) {
 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
-	p = (long *)(syms);
-	for (i = 0; i < f->num_keysyms; i++) {
-	    swapl(p, n);
-	    p++;
-	}
+	SwapLongs((CARD32 *) syms, f->num_keysyms);
     }
 
     if (f->num_keysyms > s->ctrl.max_symbols) {
@@ -495,12 +366,12 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
  *
  */
 
-int
+static int
 ChangeBellFeedback(ClientPtr client, DeviceIntPtr dev,
 		   long unsigned int mask, BellFeedbackPtr b,
 		   xBellFeedbackCtl * f)
 {
-    register char n;
+    char n;
     int t;
     BellCtrl bctrl;	/* might get BadValue part way through */
 
@@ -560,11 +431,11 @@ ChangeBellFeedback(ClientPtr client, DeviceIntPtr dev,
  *
  */
 
-int
+static int
 ChangeLedFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
 		  LedFeedbackPtr l, xLedFeedbackCtl * f)
 {
-    register char n;
+    char n;
     LedCtrl lctrl;	/* might get BadValue part way through */
 
     if (client->swapped) {
@@ -585,3 +456,128 @@ ChangeLedFeedback(ClientPtr client, DeviceIntPtr dev, long unsigned int mask,
 
     return Success;
 }
+
+/***********************************************************************
+ *
+ * Change the control attributes.
+ *
+ */
+
+int
+ProcXChangeFeedbackControl(ClientPtr client)
+{
+    unsigned len;
+    DeviceIntPtr dev;
+    KbdFeedbackPtr k;
+    PtrFeedbackPtr p;
+    IntegerFeedbackPtr i;
+    StringFeedbackPtr s;
+    BellFeedbackPtr b;
+    LedFeedbackPtr l;
+
+    REQUEST(xChangeFeedbackControlReq);
+    REQUEST_AT_LEAST_SIZE(xChangeFeedbackControlReq);
+
+    len = stuff->length - (sizeof(xChangeFeedbackControlReq) >> 2);
+    dev = LookupDeviceIntRec(stuff->deviceid);
+    if (dev == NULL) {
+	SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl, 0,
+			  BadDevice);
+	return Success;
+    }
+
+    switch (stuff->feedbackid) {
+    case KbdFeedbackClass:
+	if (len != (sizeof(xKbdFeedbackCtl) >> 2)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (k = dev->kbdfeed; k; k = k->next)
+	    if (k->ctrl.id == ((xKbdFeedbackCtl *) & stuff[1])->id) {
+		ChangeKbdFeedback(client, dev, stuff->mask, k,
+				  (xKbdFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    case PtrFeedbackClass:
+	if (len != (sizeof(xPtrFeedbackCtl) >> 2)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (p = dev->ptrfeed; p; p = p->next)
+	    if (p->ctrl.id == ((xPtrFeedbackCtl *) & stuff[1])->id) {
+		ChangePtrFeedback(client, dev, stuff->mask, p,
+				  (xPtrFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    case StringFeedbackClass:
+    {
+	char n;
+	xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]);
+
+	if (client->swapped) {
+	    swaps(&f->num_keysyms, n);
+	}
+	if (len != ((sizeof(xStringFeedbackCtl) >> 2) + f->num_keysyms)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (s = dev->stringfeed; s; s = s->next)
+	    if (s->ctrl.id == ((xStringFeedbackCtl *) & stuff[1])->id) {
+		ChangeStringFeedback(client, dev, stuff->mask, s,
+				     (xStringFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    }
+    case IntegerFeedbackClass:
+	if (len != (sizeof(xIntegerFeedbackCtl) >> 2)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (i = dev->intfeed; i; i = i->next)
+	    if (i->ctrl.id == ((xIntegerFeedbackCtl *) & stuff[1])->id) {
+		ChangeIntegerFeedback(client, dev, stuff->mask, i,
+				      (xIntegerFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    case LedFeedbackClass:
+	if (len != (sizeof(xLedFeedbackCtl) >> 2)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (l = dev->leds; l; l = l->next)
+	    if (l->ctrl.id == ((xLedFeedbackCtl *) & stuff[1])->id) {
+		ChangeLedFeedback(client, dev, stuff->mask, l,
+				  (xLedFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    case BellFeedbackClass:
+	if (len != (sizeof(xBellFeedbackCtl) >> 2)) {
+	    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl,
+			      0, BadLength);
+	    return Success;
+	}
+	for (b = dev->bell; b; b = b->next)
+	    if (b->ctrl.id == ((xBellFeedbackCtl *) & stuff[1])->id) {
+		ChangeBellFeedback(client, dev, stuff->mask, b,
+				   (xBellFeedbackCtl *) & stuff[1]);
+		return Success;
+	    }
+	break;
+    default:
+	break;
+    }
+
+    SendErrorToClient(client, IReqCode, X_ChangeFeedbackControl, 0, BadMatch);
+    return Success;
+}
+
diff --git a/xserver/Xi/chgkmap.c b/xserver/Xi/chgkmap.c
index 047b899ed..75ee9f5a5 100644
--- a/xserver/Xi/chgkmap.c
+++ b/xserver/Xi/chgkmap.c
@@ -76,21 +76,17 @@ SOFTWARE.
  */
 
 int
-SProcXChangeDeviceKeyMapping(register ClientPtr client)
+SProcXChangeDeviceKeyMapping(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i, count;
+    char n;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-    p = (long *)&stuff[1];
     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-    for (i = 0; i < count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), count);
     return (ProcXChangeDeviceKeyMapping(client));
 }
 
@@ -101,15 +97,19 @@ SProcXChangeDeviceKeyMapping(register ClientPtr client)
  */
 
 int
-ProcXChangeDeviceKeyMapping(register ClientPtr client)
+ProcXChangeDeviceKeyMapping(ClientPtr client)
 {
     int ret;
     unsigned len;
     DeviceIntPtr dev;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 
+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
     dev = LookupDeviceIntRec(stuff->deviceid);
     if (dev == NULL) {
 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
diff --git a/xserver/Xi/chgprop.c b/xserver/Xi/chgprop.c
index 52c38838d..21bda5b06 100644
--- a/xserver/Xi/chgprop.c
+++ b/xserver/Xi/chgprop.c
@@ -78,22 +78,18 @@ SOFTWARE.
  */
 
 int
-SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+SProcXChangeDeviceDontPropagateList(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
     return (ProcXChangeDeviceDontPropagateList(client));
 }
 
@@ -104,9 +100,9 @@ SProcXChangeDeviceDontPropagateList(register ClientPtr client)
  */
 
 int
-ProcXChangeDeviceDontPropagateList(register ClientPtr client)
+ProcXChangeDeviceDontPropagateList(ClientPtr client)
 {
-    int i;
+    int i, rc;
     WindowPtr pWin;
     struct tmask tmp[EMASKSIZE];
     OtherInputMasks *others;
@@ -121,11 +117,10 @@ ProcXChangeDeviceDontPropagateList(register ClientPtr client)
 	return Success;
     }
 
-    pWin = (WindowPtr) LookupWindow(stuff->window, client);
-    if (!pWin) {
-	client->errorValue = stuff->window;
+    rc = dixLookupWindow(&pWin, stuff->window, client, DixUnknownAccess);
+    if (rc != Success) {
 	SendErrorToClient(client, IReqCode, X_ChangeDeviceDontPropagateList, 0,
-			  BadWindow);
+			  rc);
 	return Success;
     }
 
diff --git a/xserver/Xi/grabdev.c b/xserver/Xi/grabdev.c
index 3af2346e3..d0b4ae74c 100644
--- a/xserver/Xi/grabdev.c
+++ b/xserver/Xi/grabdev.c
@@ -79,11 +79,9 @@ extern int ExtEventIndex;
  */
 
 int
-SProcXGrabDevice(register ClientPtr client)
+SProcXGrabDevice(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -91,11 +89,11 @@ SProcXGrabDevice(register ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+       return BadLength;
+    
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDevice(client));
 }
@@ -202,7 +200,7 @@ CreateMaskFromList(ClientPtr client, XEventClass * list, int count,
 void
 SRepXGrabDevice(ClientPtr client, int size, xGrabDeviceReply * rep)
 {
-    register char n;
+    char n;
 
     swaps(&rep->sequenceNumber, n);
     swapl(&rep->length, n);
diff --git a/xserver/Xi/grabdevb.c b/xserver/Xi/grabdevb.c
index 4333550f1..18db1f7bd 100644
--- a/xserver/Xi/grabdevb.c
+++ b/xserver/Xi/grabdevb.c
@@ -77,11 +77,9 @@ SOFTWARE.
  */
 
 int
-SProcXGrabDeviceButton(register ClientPtr client)
+SProcXGrabDeviceButton(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(register ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+                      stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDeviceButton(client));
 }
diff --git a/xserver/Xi/grabdevk.c b/xserver/Xi/grabdevk.c
index 71e72d56f..429b2f78f 100644
--- a/xserver/Xi/grabdevk.c
+++ b/xserver/Xi/grabdevk.c
@@ -77,11 +77,9 @@ SOFTWARE.
  */
 
 int
-SProcXGrabDeviceKey(register ClientPtr client)
+SProcXGrabDeviceKey(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceKeyReq);
     swaps(&stuff->length, n);
@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(register ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDeviceKey(client));
 }
 
diff --git a/xserver/Xi/selectev.c b/xserver/Xi/selectev.c
index 3483804b1..19415c51f 100644
--- a/xserver/Xi/selectev.c
+++ b/xserver/Xi/selectev.c
@@ -74,6 +74,53 @@ SOFTWARE.
 extern Mask ExtExclusiveMasks[];
 extern Mask ExtValidMasks[];
 
+static int
+HandleDevicePresenceMask(ClientPtr client, WindowPtr win,
+                         XEventClass *cls, CARD16 *count)
+{
+    int i, j;
+    Mask mask;
+
+    /* We use the device ID 256 to select events that aren't bound to
+     * any device.  For now we only handle the device presence event,
+     * but this could be extended to other events that aren't bound to
+     * a device.
+     *
+     * In order not to break in CreateMaskFromList() we remove the
+     * entries with device ID 256 from the XEventClass array.
+     */
+
+    mask = 0;
+    for (i = 0, j = 0; i < *count; i++) {
+        if (cls[i] >> 8 != 256) {
+            cls[j] = cls[i];
+            j++;
+            continue;
+        }
+
+        switch (cls[i] & 0xff) {
+        case _devicePresence:
+            mask |= DevicePresenceNotifyMask;
+            break;
+        }
+    }
+
+    *count = j;
+
+    if (mask == 0)
+        return Success;
+
+    /* We always only use mksidx = 0 for events not bound to
+     * devices */
+
+    if (AddExtensionClient (win, client, mask, 0) != Success)
+        return BadAlloc;
+
+    RecalculateDeviceDeliverableEvents(win);
+
+    return Success;
+}
+
 /***********************************************************************
  *
  * Handle requests from clients with a different byte order.
@@ -81,22 +128,19 @@ extern Mask ExtValidMasks[];
  */
 
 int
-SProcXSelectExtensionEvent(register ClientPtr client)
+SProcXSelectExtensionEvent(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
     return (ProcXSelectExtensionEvent(client));
 }
 
@@ -107,7 +151,7 @@ SProcXSelectExtensionEvent(register ClientPtr client)
  */
 
 int
-ProcXSelectExtensionEvent(register ClientPtr client)
+ProcXSelectExtensionEvent(ClientPtr client)
 {
     int ret;
     int i;
@@ -123,14 +167,19 @@ ProcXSelectExtensionEvent(register ClientPtr client)
 	return Success;
     }
 
-    pWin = (WindowPtr) LookupWindow(stuff->window, client);
-    if (!pWin) {
-	client->errorValue = stuff->window;
-	SendErrorToClient(client, IReqCode, X_SelectExtensionEvent, 0,
-			  BadWindow);
+    ret = dixLookupWindow(&pWin, stuff->window, client, DixUnknownAccess);
+    if (ret != Success) {
+	SendErrorToClient(client, IReqCode, X_SelectExtensionEvent, 0, ret);
 	return Success;
     }
 
+    if (HandleDevicePresenceMask(client, pWin, (XEventClass *) & stuff[1],
+                                &stuff->count) != Success) {
+       SendErrorToClient(client, IReqCode, X_SelectExtensionEvent, 0,
+                         BadAlloc);
+       return Success;
+    }
+
     if ((ret = CreateMaskFromList(client, (XEventClass *) & stuff[1],
 				  stuff->count, tmp, NULL,
 				  X_SelectExtensionEvent)) != Success)
diff --git a/xserver/Xi/sendexev.c b/xserver/Xi/sendexev.c
index c2763bb22..9803cf326 100644
--- a/xserver/Xi/sendexev.c
+++ b/xserver/Xi/sendexev.c
@@ -80,11 +80,11 @@ extern int lastEvent;	/* Defined in extension.c */
  */
 
 int
-SProcXSendExtensionEvent(register ClientPtr client)
+SProcXSendExtensionEvent(ClientPtr client)
 {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
+    CARD32 *p;
+    int i;
     xEvent eventT;
     xEvent *eventP;
     EventSwapPtr proc;
@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(register ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
+
+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+       (stuff->num_events * (sizeof(xEvent) >> 2)))
+       return BadLength;
+
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(register ClientPtr client)
 	*eventP = eventT;
     }
 
-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+    SwapLongs(p, stuff->count);
     return (ProcXSendExtensionEvent(client));
 }
 
@@ -119,7 +121,7 @@ SProcXSendExtensionEvent(register ClientPtr client)
  */
 
 int
-ProcXSendExtensionEvent(register ClientPtr client)
+ProcXSendExtensionEvent(ClientPtr client)
 {
     int ret;
     DeviceIntPtr dev;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:42:20 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:42:20 +0000
commit	bf7b08310c6daa8271502372e02f116f261b83db (patch)
tree	6bd850e854d3c64a89a51c5ff92ca8a004e4f85c /xserver/Xi
parent	1b54a67152537667e0fc3cb0ce8030d4105b919f (diff)