From 47c0eeb9c635719cffab0174e73bc563e60cdf38 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Thu, 25 Oct 2012 14:04:05 +0200
Subject: [PATCH] Sync TouchListener memory allocation with population in
TouchSetupListeners()
The allocated TouchListener array may fall short by 1 if hitting the worst case
situation where there's an active grab, passive grabs on each window in the
sprite trace and event selection for touch in one of the windows. This may lead
to memory corruptions as the array is overflown.
Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
---
dix/touch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dix/touch.c b/dix/touch.c
index 497ad7d..9241fc1 100644
|
a
|
b
|
TouchBuildSprite(DeviceIntPtr sourcedev, TouchPointInfoPtr ti, |
| 572 | 572 | return FALSE; |
| 573 | 573 | |
| 574 | 574 | /* Mark which grabs/event selections we're delivering to: max one grab per |
| 575 | | * window plus the bottom-most event selection |
| 576 | | ti->listeners = calloc(sprite->spriteTraceGood + 1, sizeof(*ti->listeners)); |
| | 575 | * window plus the bottom-most event selection, plus any active grab. */ |
| | 576 | ti->listeners = calloc(sprite->spriteTraceGood + 2, sizeof(*ti->listeners)); |
| 577 | 577 | if (!ti->listeners) { |
| 578 | 578 | sprite->spriteTraceGood = 0; |
| 579 | 579 | return FALSE; |
