[arch-commits] Commit in xorg-server/trunk (2 files)

Andreas Radke andyrtr at gemini.archlinux.org
Sat Feb 19 11:31:24 UTC 2022 

    Date: Saturday, February 19, 2022 @ 11:31:23
  Author: andyrtr
Revision: 437745

upgpkg: xorg-server 21.1.3-5: fix crash with closed nvidia FS#73875

Added:
  xorg-server/trunk/0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch
Modified:
  xorg-server/trunk/PKGBUILD

---------------------------------------------------------------+
 0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch |   98 ++++++++++
 PKGBUILD                                                      |    8 
 2 files changed, 104 insertions(+), 2 deletions(-)

Added: 0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch
===================================================================
--- 0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch	                        (rev 0)
+++ 0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch	2022-02-19 11:31:23 UTC (rev 437745)
@@ -0,0 +1,98 @@
+From 6ef5c05728f8b18170fbc8415d7502495a08670b Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas at radix.lt>
+Date: Sun, 23 Jan 2022 22:18:52 +0200
+Subject: [PATCH] dix: Correctly save replayed event into GrabInfoRec
+
+When processing events we operate on InternalEvent pointers. They may
+actually refer to a an instance of DeviceEvent, GestureEvent or any
+other event that comprises the InternalEvent union. This works well in
+practice because we always look into event type before doing anything,
+except in the case of copying the event.
+
+*dst_event = *src_event would copy whole InternalEvent event and would
+cause out of bounds read in case the pointed to event was not
+InternalEvent but e.g. DeviceEvent.
+
+This regression has been introduced in
+23a8b62d34344575f9df9d057fb74bfefa94a77b.
+
+Fixes https://gitlab.freedesktop.org/xorg/xserver/-/issues/1261
+
+Signed-off-by: Povilas Kanapickas <povilas at radix.lt>
+---
+ Xi/exevents.c   |  2 +-
+ dix/events.c    | 18 ++++++++++++++++--
+ include/input.h |  1 +
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 94b9983bd..217baa956 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -1524,7 +1524,7 @@ DeliverTouchEmulatedEvent(DeviceIntPtr dev, TouchPointInfoPtr ti,
+             g = AllocGrab(devgrab);
+             BUG_WARN(!g);
+ 
+-            *dev->deviceGrab.sync.event = *ev;
++            CopyPartialInternalEvent(dev->deviceGrab.sync.event, ev);
+ 
+             /* The listener array has a sequence of grabs and then one event
+              * selection. Implicit grab activation occurs through delivering an
+diff --git a/dix/events.c b/dix/events.c
+index 341c746d4..28d7d177c 100644
+--- a/dix/events.c
++++ b/dix/events.c
+@@ -467,6 +467,20 @@ WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev)
+     return xi2mask_isset(inputMasks->xi2mask, dev, evtype);
+ }
+ 
++/**
++ * When processing events we operate on InternalEvent pointers. They may actually refer to a
++ * an instance of DeviceEvent, GestureEvent or any other event that comprises the InternalEvent
++ * union. This works well in practice because we always look into event type before doing anything,
++ * except in the case of copying the event. Any copying of InternalEvent should use this function
++ * instead of doing *dst_event = *src_event whenever it's not clear whether source event actually
++ * points to full InternalEvent instance.
++ */
++void
++CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event)
++{
++    memcpy(dst_event, src_event, src_event->any.length);
++}
++
+ Mask
+ GetEventMask(DeviceIntPtr dev, xEvent *event, InputClients * other)
+ {
+@@ -3873,7 +3887,7 @@ void ActivateGrabNoDelivery(DeviceIntPtr dev, GrabPtr grab,
+ 
+     if (grabinfo->sync.state == FROZEN_NO_EVENT)
+         grabinfo->sync.state = FROZEN_WITH_EVENT;
+-    *grabinfo->sync.event = *real_event;
++    CopyPartialInternalEvent(grabinfo->sync.event, real_event);
+ }
+ 
+ static BOOL
+@@ -4455,7 +4469,7 @@ FreezeThisEventIfNeededForSyncGrab(DeviceIntPtr thisDev, InternalEvent *event)
+     case FREEZE_NEXT_EVENT:
+         grabinfo->sync.state = FROZEN_WITH_EVENT;
+         FreezeThaw(thisDev, TRUE);
+-        *grabinfo->sync.event = *event;
++        CopyPartialInternalEvent(grabinfo->sync.event, event);
+         break;
+     }
+ }
+diff --git a/include/input.h b/include/input.h
+index b1aef3663..cdb5d5a90 100644
+--- a/include/input.h
++++ b/include/input.h
+@@ -676,6 +676,7 @@ extern void GestureEmitGestureEndToOwner(DeviceIntPtr dev, GestureInfoPtr gi);
+ extern void ProcessGestureEvent(InternalEvent *ev, DeviceIntPtr dev);
+ 
+ /* misc event helpers */
++extern void CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event);
+ extern Mask GetEventMask(DeviceIntPtr dev, xEvent *ev, InputClientsPtr clients);
+ extern Mask GetEventFilter(DeviceIntPtr dev, xEvent *event);
+ extern Bool WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev);
+-- 
+GitLab
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-02-19 11:07:20 UTC (rev 437744)
+++ PKGBUILD	2022-02-19 11:31:23 UTC (rev 437745)
@@ -5,7 +5,7 @@
 pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xvfb' 'xorg-server-xnest'
          'xorg-server-common' 'xorg-server-devel')
 pkgver=21.1.3
-pkgrel=4
+pkgrel=5
 arch=('x86_64')
 license=('custom')
 groups=('xorg')
@@ -23,6 +23,7 @@
         xvfb-run.1
         0001-xkb-fix-XkbSetMap-when-changing-a-keysym-without-cha.patch
         0002-xephyr_Dont_check_for_SeatId_anymore.patch
+        0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch
 )
 validpgpkeys=('FD0004A26EADFE43A4C3F249C6F7AE200374452D') # Povilas Kanapickas <povilas at radix.lt>
 sha512sums=('cf5fed023eadda62ae732f8c4d427c272ebe005188341290f3d03147042c103b00cbb94d86a0256da815fb9b9a3da315c21a05ee0c926c1a2ff0c54ab0c0638b'
@@ -30,7 +31,8 @@
             '87c79b4a928e74463f96f58d277558783eac9b8ea6ba00d6bbbb67ad84c4d65b3792d960ea2a70089ae18162e82ae572a49ad36df169c974cc99dbaa51f63eb2'
             'de5e2cb3c6825e6cf1f07ca0d52423e17f34d70ec7935e9dd24be5fb9883bf1e03b50ff584931bd3b41095c510ab2aa44d2573fd5feaebdcb59363b65607ff22'
             'bc3b955072f320ae72a771bebecbcf56637cd0448c3afa28149fcd9e0de3700e9fba1fec21fe283be77e1236e317e385f6970eb59df54d3181324c229c8309d7'
-            '34de52147054535256f35143d321e4d5e189baae502afca2bd3291094946dbead0829b1f196ae2a4d23bd6d0e1e04b65a387dee43f12dee55d247e37aec419d7')
+            '34de52147054535256f35143d321e4d5e189baae502afca2bd3291094946dbead0829b1f196ae2a4d23bd6d0e1e04b65a387dee43f12dee55d247e37aec419d7'
+            '01acc49ee9d0681b1ec3f9f22cd4e0dbaee2f5395ebe796e158e30c7d61890337a01fe7ace267d90d62e29f3d74b981391feb7cc5840c187d62f9433ce8e1fff')
 
 prepare() {
   cd ${pkgbase}-$pkgver
@@ -39,6 +41,8 @@
   patch -Np1 -i ../0001-xkb-fix-XkbSetMap-when-changing-a-keysym-without-cha.patch
   # FS#73274
   patch -Np1 -i ../0002-xephyr_Dont_check_for_SeatId_anymore.patch
+  # FS#73875
+  patch -Np1 -i ../0003-dix_Correctly_save_replayed_event_into_GrabInfoRec.patch
 }
 
 build() {

More information about the arch-commits mailing list