diff --git a/SOURCES/0001-draglock-fix-memory-overwrite-during-draglock-parsin.patch b/SOURCES/0001-draglock-fix-memory-overwrite-during-draglock-parsin.patch new file mode 100644 index 0000000..6ca1cce --- /dev/null +++ b/SOURCES/0001-draglock-fix-memory-overwrite-during-draglock-parsin.patch @@ -0,0 +1,112 @@ +From 0909a1a76546284f27fb1b17a6f545a04537cc36 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 10 Jul 2018 11:17:50 +1000 +Subject: [PATCH xf86-input-libinput] draglock: fix memory overwrite during + draglock parsing + +Passing in the size of the array but using it as "number of elements" inside +the function. Rename a bunch of arguments to avoid this. + +https://bugs.freedesktop.org/show_bug.cgi?id=107166 + +Signed-off-by: Peter Hutterer +--- + src/draglock.c | 14 +++++++------- + src/draglock.h | 6 +++--- + src/xf86libinput.c | 2 +- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/draglock.c b/src/draglock.c +index b0bcac3..e0a91d0 100644 +--- a/src/draglock.c ++++ b/src/draglock.c +@@ -116,7 +116,7 @@ draglock_get_meta(const struct draglock *dl) + } + + size_t +-draglock_get_pairs(const struct draglock *dl, int *array, size_t sz) ++draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem) + { + unsigned int i; + size_t last = 0; +@@ -131,8 +131,8 @@ draglock_get_pairs(const struct draglock *dl, int *array, size_t sz) + } + + /* size N array with a[0] == 0, the rest ordered by button number */ +- memset(array, 0, sz * sizeof(array[0])); +- for (i = 0; i < sz && i < ARRAY_SIZE(dl->lock_pair); i++) { ++ memset(array, 0, nelem * sizeof(array[0])); ++ for (i = 0; i < nelem && i < ARRAY_SIZE(dl->lock_pair); i++) { + array[i] = dl->lock_pair[i]; + if (array[i] != 0 && i > last) + last = i; +@@ -153,20 +153,20 @@ draglock_set_meta(struct draglock *dl, int meta_button) + } + + int +-draglock_set_pairs(struct draglock *dl, const int *array, size_t sz) ++draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem) + { + unsigned int i; + +- if (sz == 0 || array[0] != 0) ++ if (nelem == 0 || array[0] != 0) + return 1; + +- for (i = 0; i < sz; i++) { ++ for (i = 0; i < nelem; i++) { + if (array[i] < 0 || array[i] >= DRAGLOCK_MAX_BUTTONS) + return 1; + } + + dl->mode = DRAGLOCK_DISABLED; +- for (i = 0; i < sz; i++) { ++ for (i = 0; i < nelem; i++) { + dl->lock_pair[i] = array[i]; + if (dl->lock_pair[i]) + dl->mode = DRAGLOCK_PAIRS; +diff --git a/src/draglock.h b/src/draglock.h +index acc1314..900d538 100644 +--- a/src/draglock.h ++++ b/src/draglock.h +@@ -107,13 +107,13 @@ draglock_get_meta(const struct draglock *dl); + * @note Button numbers start at 1, array[0] is always 0. + * + * @param[in|out] array Caller-allocated array to hold the button mappings. +- * @param[in] sz Maximum number of elements in array ++ * @param[in] nelem Maximum number of elements in array + * + * @return The number of valid elements in array or 0 if the current mode is + * not DRAGLOCK_PAIRS + */ + size_t +-draglock_get_pairs(const struct draglock *dl, int *array, size_t sz); ++draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem); + + /** + * Set the drag lock config to the DRAGLOCK_META mode, with the given +@@ -140,7 +140,7 @@ draglock_set_meta(struct draglock *dl, int meta_button); + * @return 0 on successor nonzero otherwise + */ + int +-draglock_set_pairs(struct draglock *dl, const int *array, size_t sz); ++draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem); + + /** + * Process the given button event through the drag lock state machine. +diff --git a/src/xf86libinput.c b/src/xf86libinput.c +index 2e950cd..34f1102 100644 +--- a/src/xf86libinput.c ++++ b/src/xf86libinput.c +@@ -5326,7 +5326,7 @@ LibinputInitDragLockProperty(DeviceIntPtr dev, + break; + case DRAGLOCK_PAIRS: + sz = draglock_get_pairs(&driver_data->draglock, +- dl_values, sizeof(dl_values)); ++ dl_values, ARRAY_SIZE(dl_values)); + break; + default: + xf86IDrvMsg(dev->public.devicePrivate, +-- +2.17.1 +