Commit 0909a1a7 authored by Peter Hutterer's avatar Peter Hutterer

draglock: fix memory overwrite during draglock parsing

Passing in the size of the array but using it as "number of elements" inside
the function. Rename a bunch of arguments to avoid this.

https://bugs.freedesktop.org/show_bug.cgi?id=107166Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 20bb8d6b
......@@ -116,7 +116,7 @@ draglock_get_meta(const struct draglock *dl)
}
size_t
draglock_get_pairs(const struct draglock *dl, int *array, size_t sz)
draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem)
{
unsigned int i;
size_t last = 0;
......@@ -131,8 +131,8 @@ draglock_get_pairs(const struct draglock *dl, int *array, size_t sz)
}
/* size N array with a[0] == 0, the rest ordered by button number */
memset(array, 0, sz * sizeof(array[0]));
for (i = 0; i < sz && i < ARRAY_SIZE(dl->lock_pair); i++) {
memset(array, 0, nelem * sizeof(array[0]));
for (i = 0; i < nelem && i < ARRAY_SIZE(dl->lock_pair); i++) {
array[i] = dl->lock_pair[i];
if (array[i] != 0 && i > last)
last = i;
......@@ -153,20 +153,20 @@ draglock_set_meta(struct draglock *dl, int meta_button)
}
int
draglock_set_pairs(struct draglock *dl, const int *array, size_t sz)
draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem)
{
unsigned int i;
if (sz == 0 || array[0] != 0)
if (nelem == 0 || array[0] != 0)
return 1;
for (i = 0; i < sz; i++) {
for (i = 0; i < nelem; i++) {
if (array[i] < 0 || array[i] >= DRAGLOCK_MAX_BUTTONS)
return 1;
}
dl->mode = DRAGLOCK_DISABLED;
for (i = 0; i < sz; i++) {
for (i = 0; i < nelem; i++) {
dl->lock_pair[i] = array[i];
if (dl->lock_pair[i])
dl->mode = DRAGLOCK_PAIRS;
......
......@@ -107,13 +107,13 @@ draglock_get_meta(const struct draglock *dl);
* @note Button numbers start at 1, array[0] is always 0.
*
* @param[in|out] array Caller-allocated array to hold the button mappings.
* @param[in] sz Maximum number of elements in array
* @param[in] nelem Maximum number of elements in array
*
* @return The number of valid elements in array or 0 if the current mode is
* not DRAGLOCK_PAIRS
*/
size_t
draglock_get_pairs(const struct draglock *dl, int *array, size_t sz);
draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem);
/**
* Set the drag lock config to the DRAGLOCK_META mode, with the given
......@@ -140,7 +140,7 @@ draglock_set_meta(struct draglock *dl, int meta_button);
* @return 0 on successor nonzero otherwise
*/
int
draglock_set_pairs(struct draglock *dl, const int *array, size_t sz);
draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem);
/**
* Process the given button event through the drag lock state machine.
......
......@@ -5326,7 +5326,7 @@ LibinputInitDragLockProperty(DeviceIntPtr dev,
break;
case DRAGLOCK_PAIRS:
sz = draglock_get_pairs(&driver_data->draglock,
dl_values, sizeof(dl_values));
dl_values, ARRAY_SIZE(dl_values));
break;
default:
xf86IDrvMsg(dev->public.devicePrivate,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment