Xi: don't overrun memory for grab masks.

A grab mask provided in the request may be larger than the one used in the
server. Cut down to size before memcopying.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

2 files changed, 6 insertions, 2 deletions

diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
index 95beb832b..5394b1900 100644
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@@ -66,6 +66,7 @@ ProcXIGrabDevice(ClientPtr client)
     int ret = Success;
     uint8_t status;
     GrabMask mask;
+    int mask_len;
 
     REQUEST(xXIGrabDeviceReq);
     REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
@@ -77,8 +78,9 @@ ProcXIGrabDevice(ClientPtr client)
     if (!IsMaster(dev))
         stuff->paired_device_mode = GrabModeAsync;
 
+    mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
     memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
-    memcpy(mask.xi2mask, (char*)&stuff[1], stuff->mask_len * 4);
+    memcpy(mask.xi2mask, (char*)&stuff[1], mask_len);
 
     ret = GrabDevice(client, dev, stuff->grab_mode,
                      stuff->paired_device_mode,
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 1d6200f3a..0cfdc1d9b 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -86,6 +86,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabMask mask;
     GrabParameters param;
     void *tmp;
+    int mask_len;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
@@ -127,8 +128,9 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
+    mask_len = min(sizeof(mask.xi2mask[stuff->deviceid]), stuff->mask_len * 4);
     memset(mask.xi2mask, 0, sizeof(mask.xi2mask));
-    memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], stuff->mask_len * 4);
+    memcpy(mask.xi2mask[stuff->deviceid], &stuff[1], mask_len * 4);
 
     rep.repType = X_Reply;
     rep.RepType = X_XIPassiveGrabDevice;