From 0909a1a76546284f27fb1b17a6f545a04537cc36 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 10 Jul 2018 11:17:50 +1000 Subject: [PATCH xf86-input-libinput] draglock: fix memory overwrite during draglock parsing Passing in the size of the array but using it as "number of elements" inside the function. Rename a bunch of arguments to avoid this. https://bugs.freedesktop.org/show_bug.cgi?id=107166 Signed-off-by: Peter Hutterer --- src/draglock.c | 14 +++++++------- src/draglock.h | 6 +++--- src/xf86libinput.c | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/draglock.c b/src/draglock.c index b0bcac3..e0a91d0 100644 --- a/src/draglock.c +++ b/src/draglock.c @@ -116,7 +116,7 @@ draglock_get_meta(const struct draglock *dl) } size_t -draglock_get_pairs(const struct draglock *dl, int *array, size_t sz) +draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem) { unsigned int i; size_t last = 0; @@ -131,8 +131,8 @@ draglock_get_pairs(const struct draglock *dl, int *array, size_t sz) } /* size N array with a[0] == 0, the rest ordered by button number */ - memset(array, 0, sz * sizeof(array[0])); - for (i = 0; i < sz && i < ARRAY_SIZE(dl->lock_pair); i++) { + memset(array, 0, nelem * sizeof(array[0])); + for (i = 0; i < nelem && i < ARRAY_SIZE(dl->lock_pair); i++) { array[i] = dl->lock_pair[i]; if (array[i] != 0 && i > last) last = i; @@ -153,20 +153,20 @@ draglock_set_meta(struct draglock *dl, int meta_button) } int -draglock_set_pairs(struct draglock *dl, const int *array, size_t sz) +draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem) { unsigned int i; - if (sz == 0 || array[0] != 0) + if (nelem == 0 || array[0] != 0) return 1; - for (i = 0; i < sz; i++) { + for (i = 0; i < nelem; i++) { if (array[i] < 0 || array[i] >= DRAGLOCK_MAX_BUTTONS) return 1; } dl->mode = DRAGLOCK_DISABLED; - for (i = 0; i < sz; i++) { + for (i = 0; i < nelem; i++) { dl->lock_pair[i] = array[i]; if (dl->lock_pair[i]) dl->mode = DRAGLOCK_PAIRS; diff --git a/src/draglock.h b/src/draglock.h index acc1314..900d538 100644 --- a/src/draglock.h +++ b/src/draglock.h @@ -107,13 +107,13 @@ draglock_get_meta(const struct draglock *dl); * @note Button numbers start at 1, array[0] is always 0. * * @param[in|out] array Caller-allocated array to hold the button mappings. - * @param[in] sz Maximum number of elements in array + * @param[in] nelem Maximum number of elements in array * * @return The number of valid elements in array or 0 if the current mode is * not DRAGLOCK_PAIRS */ size_t -draglock_get_pairs(const struct draglock *dl, int *array, size_t sz); +draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem); /** * Set the drag lock config to the DRAGLOCK_META mode, with the given @@ -140,7 +140,7 @@ draglock_set_meta(struct draglock *dl, int meta_button); * @return 0 on successor nonzero otherwise */ int -draglock_set_pairs(struct draglock *dl, const int *array, size_t sz); +draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem); /** * Process the given button event through the drag lock state machine. diff --git a/src/xf86libinput.c b/src/xf86libinput.c index 2e950cd..34f1102 100644 --- a/src/xf86libinput.c +++ b/src/xf86libinput.c @@ -5326,7 +5326,7 @@ LibinputInitDragLockProperty(DeviceIntPtr dev, break; case DRAGLOCK_PAIRS: sz = draglock_get_pairs(&driver_data->draglock, - dl_values, sizeof(dl_values)); + dl_values, ARRAY_SIZE(dl_values)); break; default: xf86IDrvMsg(dev->public.devicePrivate, -- 2.17.1