From 552de314bf0c8e4de5d002bdd1c12388c2f42283 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 19 Dec 2011 14:52:41 +1000
Subject: dix: don't retrieve the syncEvents tail on an empty list

An empty list points to itself but syncEvents has the list head only and is
of a different format than the elements. Thus, casting it to a QdEventPtr
gives us garbage.

Segfaults with XTS test case Xlib13/XGrabKeyboard

Introduced in 7af23259d88f4c28ed21140f82cc03b3724c06bb.

Reported-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
---
 dix/events.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'dix')

diff --git a/dix/events.c b/dix/events.c
index 48cf7a244..d80290360 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1116,13 +1116,14 @@ NoticeEventTime(InternalEvent *ev)
 void
 EnqueueEvent(InternalEvent *ev, DeviceIntPtr device)
 {
-    QdEventPtr	tail;
+    QdEventPtr	tail = NULL;
     QdEventPtr	qe;
     SpritePtr	pSprite = device->spriteInfo->sprite;
     int		eventlen;
     DeviceEvent *event = &ev->device_event;
 
-    tail = list_last_entry(&syncEvents.pending, QdEventRec, next);
+    if (!list_is_empty(&syncEvents.pending))
+        tail = list_last_entry(&syncEvents.pending, QdEventRec, next);
 
     NoticeTime((InternalEvent*)event);
 
-- 
cgit v1.2.3