dix: prevent a driver from initializing or submitting buttons > MAX_BUTTONS

The server internally relies on arrays with a MAX_BUTTONS maximum size (which
is the max the core protocol can transport). Make sure a driver adheres to
that.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>

diff --git a/dix/devices.c b/dix/devices.c
index a875f03..1c86d52 100644 (file)
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1279,6 +1279,7 @@ InitButtonClassDeviceStruct(DeviceIntPtr dev, int numButtons, Atom *labels,
 
     BUG_RETURN_VAL(dev == NULL, FALSE);
     BUG_RETURN_VAL(dev->button != NULL, FALSE);
+    BUG_RETURN_VAL(numButtons >= MAX_BUTTONS, FALSE);
 
     butc = calloc(1, sizeof(ButtonClassRec));
     if (!butc)

diff --git a/dix/getevents.c b/dix/getevents.c
index 646c723..ffa89fa 100644 (file)
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -1655,6 +1655,8 @@ GetPointerEvents(InternalEvent *events, DeviceIntPtr pDev, int type,
     }
 #endif
 
+    BUG_RETURN_VAL(buttons >= MAX_BUTTONS, 0);
+
     /* refuse events from disabled devices */
     if (!pDev->enabled)
         return 0;