From b907c23d00feae0e361f02c80570ec490e44ad6f Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Mon, 2 Feb 2009 11:00:30 +1000 Subject: Protect against zero-sized property values. #19882 X.Org Bug 19882 Signed-off-by: Peter Hutterer (cherry picked from commit 07f40a04df28e9ee6318411beb71eedc7cd6e288) --- src/draglock.c | 4 +++- src/emuWheel.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/draglock.c b/src/draglock.c index 631da17..8e97b0d 100644 --- a/src/draglock.c +++ b/src/draglock.c @@ -243,7 +243,9 @@ EvdevDragLockSetProperty(DeviceIntPtr dev, Atom atom, XIPropertyValuePtr val, return BadValue; } - if (val->size == 1) + if (val->size == 0) + return BadMatch; + else if (val->size == 1) { int meta = *((CARD8*)val->data); if (meta > EVDEV_MAXBUTTONS) diff --git a/src/emuWheel.c b/src/emuWheel.c index b007de0..488a6a2 100644 --- a/src/emuWheel.c +++ b/src/emuWheel.c @@ -350,11 +350,13 @@ EvdevWheelEmuSetProperty(DeviceIntPtr dev, Atom atom, XIPropertyValuePtr val, } else if (atom == prop_wheel_button) { - int bt = *((CARD8*)val->data); + int bt; if (val->format != 8 || val->size != 1 || val->type != XA_INTEGER) return BadMatch; + bt = *((CARD8*)val->data); + if (bt < 0 || bt >= EVDEV_MAXBUTTONS) return BadValue; @@ -374,11 +376,13 @@ EvdevWheelEmuSetProperty(DeviceIntPtr dev, Atom atom, XIPropertyValuePtr val, } } else if (atom == prop_wheel_inertia) { - int inertia = *((CARD16*)val->data); + int inertia; if (val->format != 16 || val->size != 1 || val->type != XA_INTEGER) return BadMatch; + inertia = *((CARD16*)val->data); + if (inertia < 0) return BadValue; @@ -386,11 +390,13 @@ EvdevWheelEmuSetProperty(DeviceIntPtr dev, Atom atom, XIPropertyValuePtr val, pEvdev->emulateWheel.inertia = inertia; } else if (atom == prop_wheel_timeout) { - int timeout = *((CARD16*)val->data); + int timeout; if (val->format != 16 || val->size != 1 || val->type != XA_INTEGER) return BadMatch; + timeout = *((CARD16*)val->data); + if (timeout < 0) return BadValue; -- cgit v1.2.1