From 188148e1cc1cdecc7731a4251a9ecb9dd73e6241 Mon Sep 17 00:00:00 2001
From: Oliver McFadden <oliver.mcfadden@nokia.com>
Date: Mon, 24 Jan 2011 22:03:30 +0200
Subject: [PATCH] dix: GetPointerEvents: added valuator range checking

Button events may be sent with no valuators (e.g. to simply indicate
ButtonPress or ButtonRelease without any coordinates); when this happens
the server would read uninitialized memory.

==9999== Conditional jump or move depends on uninitialised value(s)
==9999==    at 0x48E87E8: pixman_f_transform_point (in /usr/lib/libpixman-1.so.0.18.2)
==9999==  Uninitialised value was created by a stack allocation
==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)
==9999==
==9999== Conditional jump or move depends on uninitialised value(s)
==9999==    at 0x496D074: lround (s_lround.c:40)
==9999==    by 0x3773B: GetPointerEvents (getevents.c:1048)
==9999==    by 0x683BB: xf86PostButtonEventP (xf86Xinput.c:1162)
==9999==    by 0x6853B: xf86PostButtonEvent (xf86Xinput.c:1126)
==9999==    by 0x5779037: process_state (multitouch.c:321)      (xf86-input-mtev)
==9999==    by 0x577908F: read_input (multitouch.c:331))        (xf86-input-mtev)
==9999==    by 0x66B4F: xf86SigioReadInput (xf86Events.c:298)
==9999==    by 0x112697: xf86SIGIO (sigio.c:118)
==9999==    by 0x4A12B2F: ??? (sigrestorer.S:51)
==9999==  Uninitialised value was created by a stack allocation
==9999==    at 0x37524: GetPointerEvents (getevents.c:1074)

Signed-off-by: Oliver McFadden <oliver.mcfadden@nokia.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/getevents.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/dix/getevents.c b/dix/getevents.c
index 8c64f1d59..c44abdc68 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1034,19 +1034,21 @@ FreeEventList(EventListPtr list, int num_events)
 }
 
 static void
-transformAbsolute(DeviceIntPtr dev, int v[MAX_VALUATORS])
+transformAbsolute(DeviceIntPtr dev, int first, int num, int *valuators)
 {
-    struct pixman_f_vector p;
+    struct pixman_f_vector p = { .v = {0.0, 0.0, 1.0} };
 
     /* p' = M * p in homogeneous coordinates */
-    p.v[0] = v[0];
-    p.v[1] = v[1];
-    p.v[2] = 1.0;
+    if (num >= 1 && first == 0)
+        p.v[0] = *(valuators + 0);
+
+    if (first <= 1 && num >= (2 - first))
+        p.v[1] = *(valuators + 1 - first);
 
     pixman_f_transform_point(&dev->transform, &p);
 
-    v[0] = lround(p.v[0]);
-    v[1] = lround(p.v[1]);
+    valuators[0] = lround(p.v[0]);
+    valuators[1] = lround(p.v[1]);
 }
 
 /**
@@ -1124,7 +1126,7 @@ GetPointerEvents(EventList *events, DeviceIntPtr pDev, int type, int buttons,
                         scr->height);
         }
 
-        transformAbsolute(pDev, valuators);
+        transformAbsolute(pDev, first_valuator, num_valuators, valuators);
         moveAbsolute(pDev, &x, &y, first_valuator, num_valuators, valuators);
     } else {
         if (flags & POINTER_ACCELERATE) {