Remove the SendEvent bit (0x80) before doing range checks on event type.

Some extension libraries may set this bit before converting the event to
wire protocol and as such range checking the event will cause an invalid
BadValue error to result. As the documentation suggests the the bit
should be "forced on", remove it before doing range checks and continue
to force it on in the server.

Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2d2dce558d24eeea0eb011ec9ebaa6c5c2273c39)

diff --git a/dix/events.c b/dix/events.c
index 8a4c6b9..9e58edb 100644 (file)
--- a/dix/events.c
+++ b/dix/events.c
@@ -5224,6 +5224,8 @@ CloseDownEvents(void)
     InputEventList = NULL;
 }
 
+#define SEND_EVENT_BIT 0x80
+
 /**
  * Server-side protocol handling for SendEvent request.
  *
@@ -5241,6 +5243,16 @@ ProcSendEvent(ClientPtr client)
 
     REQUEST_SIZE_MATCH(xSendEventReq);
 
+    /* libXext and other extension libraries may set the bit indicating
+     * that this event came from a SendEvent request so remove it
+     * since otherwise the event type may fail the range checks
+     * and cause an invalid BadValue error to be returned.
+     *
+     * This is safe to do since we later add the SendEvent bit (0x80)
+     * back in once we send the event to the client */
+
+    stuff->event.u.u.type &= ~(SEND_EVENT_BIT);
+
     /* The client's event type must be a core event type or one defined by an
        extension. */
 
@@ -5298,7 +5310,7 @@ ProcSendEvent(ClientPtr client)
        client->errorValue = stuff->propagate;
        return BadValue;
     }
-    stuff->event.u.u.type |= 0x80;
+    stuff->event.u.u.type |= SEND_EVENT_BIT;
     if (stuff->propagate)
     {
        for (;pWin; pWin = pWin->parent)