Xi: Zero target buffer in SProcXSendExtensionEvent.

Make sure that the xEvent eventT is initialized with zeros, the same way as in SProcSendEvent. Some event swapping functions do not overwrite all 32 bytes of xEvent structure, for example XSecurityAuthorizationRevoked. Two cooperating clients, one swapped and the other not, can send XSecurityAuthorizationRevoked event to each other to retrieve old stack data from X server. This can be potentialy misused to go around ASLR or stack-protector. Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 05442de962d3dc624f79fc1a00eca3ffc5489ced)
author: Michal Srb <msrb@suse.com> 2017-05-24 15:54:39 +0300
committer: Adam Jackson <ajax@redhat.com> 2017-09-25 15:34:10 -0400
commit: cdf15ab8f94d54bce72f37653fc46daf482b1671 (patch)
tree: b716080f7cd17a3bfdfa34edb66781188717e40f /Xi
parent: 3a53e4407fb9e0c0e0dbf8d147b67f6e36aea5ae (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 183f88dae..c9b7dde7c 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 {
     CARD32 *p;
     int i;
-    xEvent eventT;
+    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
author	Michal Srb <msrb@suse.com>	2017-05-24 15:54:39 +0300
committer	Adam Jackson <ajax@redhat.com>	2017-09-25 15:34:10 -0400
commit	cdf15ab8f94d54bce72f37653fc46daf482b1671 (patch)
tree	b716080f7cd17a3bfdfa34edb66781188717e40f /Xi
parent	3a53e4407fb9e0c0e0dbf8d147b67f6e36aea5ae (diff)