[xorg-x11-server/f17] Avoid memory corruption on too many touch listeners (#862829)

[Peter Hutterer]

commit 9b5bbdacbdb5a79459102776cadeb1478b22327a
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date:   Tue Jan 29 17:21:54 2013 +1000

    Avoid memory corruption on too many touch listeners (#862829)

 ...istener-memory-allocation-with-population.patch |   37 ++++++++++++++++++++
 xorg-x11-server.spec                               |    8 ++++-
 2 files changed, 44 insertions(+), 1 deletions(-)
---
diff --git a/0001-Sync-TouchListener-memory-allocation-with-population.patch b/0001-Sync-TouchListener-memory-allocation-with-population.patch
new file mode 100644
index 0000000..c1bc4b7
--- /dev/null
+++ b/0001-Sync-TouchListener-memory-allocation-with-population.patch
@@ -0,0 +1,37 @@
+From ee62b7a870e94dd1930a6e697f250c52fcefa9ef Mon Sep 17 00:00:00 2001
+From: Carlos Garnacho <carlosg at gnome.org>
+Date: Thu, 25 Oct 2012 15:03:50 +0200
+Subject: [PATCH] Sync TouchListener memory allocation with population in
+ TouchSetupListeners()
+
+The allocated TouchListener array may fall short by 1 if hitting the worst case
+situation where there's an active grab, passive grabs on each window in the
+sprite trace and event selection for touch in one of the windows. This may lead
+to memory corruptions as the array is overflown.
+
+Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+(cherry picked from commit ced56f322ead10d1bc93fcd1f8e0ec3ae51292a3)
+---
+ dix/touch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dix/touch.c b/dix/touch.c
+index ad48d8a..ec2c996 100644
+--- a/dix/touch.c
++++ b/dix/touch.c
+@@ -571,8 +571,8 @@ TouchBuildSprite(DeviceIntPtr sourcedev, TouchPointInfoPtr ti,
+         return FALSE;
+ 
+     /* Mark which grabs/event selections we're delivering to: max one grab per
+-     * window plus the bottom-most event selection. */
+-    ti->listeners = calloc(sprite->spriteTraceGood + 1, sizeof(*ti->listeners));
++     * window plus the bottom-most event selection, plus any active grab. */
++    ti->listeners = calloc(sprite->spriteTraceGood + 2, sizeof(*ti->listeners));
+     if (!ti->listeners) {
+         sprite->spriteTraceGood = 0;
+         return FALSE;
+-- 
+1.8.1
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 203d6a4..73ccc9f 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -48,7 +48,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.12.4
-Release:   3%{?gitdate:.%{gitdate}}%{dist}
+Release:   4%{?gitdate:.%{gitdate}}%{dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -120,6 +120,9 @@ Patch7022: 0001-Touch-Fix-duplicate-TouchBegin-selection-with-virtua.patch
 
 Patch7023: 0001-mieq-Bump-default-queue-size-to-512.patch
 
+# Possibly Bug 862829 - [abrt] xorg-x11-server-Xorg-1.12.3-2.fc17: Xorg server
+Patch7024: 0001-Sync-TouchListener-memory-allocation-with-population.patch
+
 %define moduledir	%{_libdir}/xorg/modules
 %define drimoduledir	%{_libdir}/dri
 %define sdkdir		%{_includedir}/xorg
@@ -588,6 +591,9 @@ rm -rf $RPM_BUILD_ROOT
 %{xserver_source_dir}
 
 %changelog
+* Tue Jan 29 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.12.4-4
+- Avoid memory corruption on too many touch listeners (#862829)
+
 * Wed Jan 23 2013 Adam Jackson <ajax at redhat.com> 1.12.4-3
 - Bump default EQ size to avoid spurious abrt reports