Bug 59937

Summary:	Null pointer dereference in ProcXTestFakeInput
Product:	xorg	Reporter:	Alan Coopersmith <alan.coopersmith>
Component:	Server/Input/Core	Assignee:	Xorg Project Team <xorg-team>
Status:	RESOLVED FIXED	QA Contact:	Xorg Project Team <xorg-team>
Severity:	normal
Priority:	medium	CC:	peter.hutterer
Version:	git
Hardware:	All
OS:	All
Whiteboard:
i915 platform:		i915 features:

Description Alan Coopersmith 2013-01-27 18:54:03 UTC

Parfait 1.1 reports:

Error: Null pointer dereference (CWE 476)
   Read from null pointer 'dv'
        at line 244 of Xext/xtest.c in function 'ProcXTestFakeInput'.
          Null pointer introduced at line 244.

which corresponds to:

    243         if (nev > 1 && !dev->valuator) {
    244             client->errorValue = dv->first_valuator;
    245             return BadValue;
    246         }

Unfortunately, dv is initialized to NULL before this:
    159     deviceValuator *dv = NULL;

and not set to an actual value until afterwards:
    250         for (n = 1; n < nev; n++) {
    251             dv = (deviceValuator *) (ev + n);

Should the reference at 244 be to the firstValuator variable set just
before that error check, or to another value?

If firstValuator works, then this would fix it, and prevent further invalid
uses:

diff --git a/Xext/xtest.c b/Xext/xtest.c
index 2abdc7f..6519b9c 100644
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
@@ -156,7 +156,6 @@ ProcXTestFakeInput(ClientPtr client)
     DeviceIntPtr dev = NULL;
     WindowPtr root;
     Bool extension = FALSE;
-    deviceValuator *dv = NULL;
     ValuatorMask mask;
     int valuators[MAX_VALUATORS] = { 0 };
     int numValuators = 0;
@@ -241,14 +240,14 @@ ProcXTestFakeInput(ClientPtr client)
         }
 
         if (nev > 1 && !dev->valuator) {
-            client->errorValue = dv->first_valuator;
+            client->errorValue = firstValuator;
             return BadValue;
         }
 
         /* check validity of valuator events */
         base = firstValuator;
         for (n = 1; n < nev; n++) {
-            dv = (deviceValuator *) (ev + n);
+            deviceValuator *dv = (deviceValuator *) (ev + n);
             if (dv->type != DeviceValuator) {
                 client->errorValue = dv->type;
                 return BadValue;

Comment 1 Peter Hutterer 2013-01-29 00:44:24 UTC

http://patchwork.freedesktop.org/patch/12943/

Comment 2 Peter Hutterer 2013-02-15 01:49:07 UTC

commit 48bc30c5413a1be0039fa77affcbbb4fe677479f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Jan 29 10:24:32 2013 +1000

    Xext: avoid null-pointer dereference in XTestFakeInput (#59937)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.