[Xquartz-changes] xserver: Branch 'master' - 2 commits
Jeremy Huddleston
jeremyhu at freedesktop.org
Thu Aug 19 19:45:47 PDT 2010
dix/getevents.c | 21 ++++++++++++++++-----
dix/window.c | 2 ++
2 files changed, 18 insertions(+), 5 deletions(-)
New commits:
commit fc091936e2bddbbab9c9a501edc5a5f08388617e
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Mon Aug 16 14:18:45 2010 +1000
dix: copy the valuators passed into GPE/GKVE/GProxE.
GPE and friends modify the valuators array passed in. Which means any driver
using e.g. xf86PostButtonEventP(..., valuators) twice to emulate a button
click will provide garbage data on the second run.
This is currently affecting the wacom driver, xf86PostButtonEventP() with
valuators is required to have input events with device-specific axis values.
Passing the same valuators in twice, once with press, once with release,
will see the valuators modified in the first call and garbage submitted in
the next one.
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
diff --git a/dix/getevents.c b/dix/getevents.c
index 20bcf7e..e5134d3 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -912,17 +912,19 @@ GetKeyboardEvents(EventList *events, DeviceIntPtr pDev, int type, int key_code)
int
GetKeyboardValuatorEvents(EventList *events, DeviceIntPtr pDev, int type,
int key_code, int first_valuator,
- int num_valuators, int *valuators) {
+ int num_valuators, int *valuators_in) {
int num_events = 0;
CARD32 ms = 0;
DeviceEvent *event;
RawDeviceEvent *raw;
+ int valuators[MAX_VALUATORS];
/* refuse events from disabled devices */
if (!pDev->enabled)
return 0;
if (!events ||!pDev->key || !pDev->focus || !pDev->kbdfeed ||
+ num_valuators > MAX_VALUATORS ||
(type != KeyPress && type != KeyRelease) ||
(key_code < 8 || key_code > 255))
return 0;
@@ -947,6 +949,8 @@ GetKeyboardValuatorEvents(EventList *events, DeviceIntPtr pDev, int type,
events++;
num_events++;
+ memcpy(valuators, valuators_in, num_valuators * sizeof(int));
+
init_raw(pDev, raw, ms, type, key_code);
set_raw_valuators(raw, first_valuator, num_valuators, valuators,
raw->valuators.data_raw);
@@ -1067,7 +1071,7 @@ transformAbsolute(DeviceIntPtr dev, int v[MAX_VALUATORS])
int
GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
int flags, int first_valuator, int num_valuators,
- int *valuators) {
+ int *valuators_in) {
int num_events = 1;
CARD32 ms;
DeviceEvent *event;
@@ -1076,6 +1080,7 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
cx, cy; /* only screen coordinates */
float x_frac = 0.0, y_frac = 0.0, cx_frac, cy_frac;
ScreenPtr scr = miPointerGetScreen(pDev);
+ int valuators[MAX_VALUATORS];
/* refuse events from disabled devices */
if (!pDev->enabled)
@@ -1084,6 +1089,7 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
ms = GetTimeInMillis(); /* before pointer update to help precision */
if (!scr || !pDev->valuator || first_valuator < 0 ||
+ num_valuators > MAX_VALUATORS ||
((num_valuators + first_valuator) > pDev->valuator->numAxes) ||
(type != MotionNotify && type != ButtonPress && type != ButtonRelease) ||
(type != MotionNotify && !pDev->button) ||
@@ -1097,6 +1103,8 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
events++;
num_events++;
+ memcpy(valuators, valuators_in, num_valuators * sizeof(int));
+
init_raw(pDev, raw, ms, type, buttons);
set_raw_valuators(raw, first_valuator, num_valuators, valuators,
raw->valuators.data_raw);
@@ -1183,10 +1191,11 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
*/
int
GetProximityEvents(EventList *events, DeviceIntPtr pDev, int type,
- int first_valuator, int num_valuators, int *valuators)
+ int first_valuator, int num_valuators, int *valuators_in)
{
int num_events = 1;
DeviceEvent *event;
+ int valuators[MAX_VALUATORS];
/* refuse events from disabled devices */
if (!pDev->enabled)
@@ -1202,7 +1211,7 @@ GetProximityEvents(EventList *events, DeviceIntPtr pDev, int type,
num_valuators = 0;
/* You fail. */
- if (first_valuator < 0 ||
+ if (first_valuator < 0 || num_valuators > MAX_VALUATORS ||
(num_valuators + first_valuator) > pDev->valuator->numAxes)
return 0;
@@ -1212,8 +1221,10 @@ GetProximityEvents(EventList *events, DeviceIntPtr pDev, int type,
init_event(pDev, event, GetTimeInMillis());
event->type = (type == ProximityIn) ? ET_ProximityIn : ET_ProximityOut;
- if (num_valuators)
+ if (num_valuators) {
+ memcpy(valuators, valuators_in, num_valuators * sizeof(int));
clipValuators(pDev, first_valuator, num_valuators, valuators);
+ }
set_valuators(pDev, event, first_valuator, num_valuators, valuators);
commit 6e3e559e9fa63069a10eb834a6dab9a4cfc140ee
Author: Keith Packard <keithp at keithp.com>
Date: Sun Aug 15 20:53:20 2010 -0700
dix: reset pScreen->root to NULL when root window is deleted.
From: Dave Airlie <airlied at linux.ie>
We were seeing a crash in the FreeAllResources codepath,
running valgrind revealed this,
==12536== Invalid read of size 4
==12536== at 0x810BCAB: DeliverPropertyEvent (rrproperty.c:33)
==12536== by 0x80958A4: TraverseTree (window.c:227)
==12536== by 0x809593E: WalkTree (window.c:255)
==12536== by 0x810BC66: RRDeliverPropertyEvent (rrproperty.c:53)
==12536== by 0x810BD5D: RRDeleteProperty.clone.0 (rrproperty.c:76)
==12536== by 0x810BD98: RRDeleteAllOutputProperties (rrproperty.c:88)
==12536== by 0x810A36E: RROutputDestroyResource (rroutput.c:407)
==12536== by 0x808DF4E: FreeClientResources (resource.c:859)
==12536== by 0x808E005: FreeAllResources (resource.c:876)
==12536== by 0x8062300: main (main.c:305)
==12536== Address 0x46ba8ac is 4 bytes inside a block of size 164 free'd
==12536== at 0x40057F6: free (vg_replace_malloc.c:325)
==12536== by 0x8087F1F: _dixFreeObjectWithPrivates (privates.c:357)
==12536== by 0x809832A: DeleteWindow (window.c:926)
==12536== by 0x808DF4E: FreeClientResources (resource.c:859)
==12536== by 0x808E005: FreeAllResources (resource.c:876)
==12536== by 0x8062300: main (main.c:305)
Its a use after free on the root window, since we have already deleted it
at this point. This patch checks if the window we are destroying is the root
window and resets the pointer to NULL if it is.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Dave Airlie <airlied at redhat.com>
Tested-by: Dave Airlie <airlied at redhat.com>
diff --git a/dix/window.c b/dix/window.c
index 4a47dd5..1913030 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -921,6 +921,8 @@ DeleteWindow(pointer value, XID wid)
if (pWin->prevSib)
pWin->prevSib->nextSib = pWin->nextSib;
}
+ else
+ pWin->drawable.pScreen->root = NULL;
dixFreeObjectWithPrivates(pWin, PRIVATE_WINDOW);
return Success;
}
More information about the Xquartz-changes
mailing list