dix: avoid deferencing NULL PtrCtrl

PtrCtrl really makes sense for relative pointing device only, absolute devices such as touch devices do not have any PtrCtrl set. In some cases, if the client issues a XGetPointerControl() immediatlely after a ChangeMasterDeviceClasses() copied the touch device to the VCP, a NULL pointer dereference will occur leading to a crash of Xwayland. Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and return the default control values otherwise, to avoid the NULL pointer dereference. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533 Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit 9f7a9be13d6449c00c86d3035374f4f543654b3f)
author: Olivier Fourdan <ofourdan@redhat.com> 2017-12-05 09:59:06 +0100
committer: Adam Jackson <ajax@redhat.com> 2017-12-13 10:09:11 -0500
commit: 072dff82817bc02bb4bdb2dad594e6090586bf58 (patch)
tree: 0927841e7fa3189c17bb69ed981ce23fd06f0a35
parent: f9a55653721980e3921083015ffb39f777606828 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/dix/devices.c b/dix/devices.c
index ea3c6c8a9..4a628afb0 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2329,10 +2329,15 @@ int
 ProcGetPointerControl(ClientPtr client)
 {
     DeviceIntPtr ptr = PickPointer(client);
-    PtrCtrl *ctrl = &ptr->ptrfeed->ctrl;
+    PtrCtrl *ctrl;
     xGetPointerControlReply rep;
     int rc;
 
+    if (ptr->ptrfeed)
+        ctrl = &ptr->ptrfeed->ctrl;
+    else
+        ctrl = &defaultPointerControl;
+
     REQUEST_SIZE_MATCH(xReq);
 
     rc = XaceHook(XACE_DEVICE_ACCESS, client, ptr, DixGetAttrAccess);
author	Olivier Fourdan <ofourdan@redhat.com>	2017-12-05 09:59:06 +0100
committer	Adam Jackson <ajax@redhat.com>	2017-12-13 10:09:11 -0500
commit	072dff82817bc02bb4bdb2dad594e6090586bf58 (patch)
tree	0927841e7fa3189c17bb69ed981ce23fd06f0a35
parent	f9a55653721980e3921083015ffb39f777606828 (diff)