From 5f3cd22b7fc25c64685d0620925bd8c8e5671777 Mon Sep 17 00:00:00 2001 From: stefan11111 Date: Wed, 5 Feb 2025 00:15:07 +0200 Subject: [PATCH 1/2] port fix for a segfault: https://github.com/stefan11111/kdrive/commit/0aa5ca446ec61aebcf6c10ac2f00ec61cd53cf4a This fixes an incorrect loop condtion, as it is possible to skip over NUM_PROT when incrementing This causes a segfault in kdrive, when km->i_prot would have to loop, instead continuing to read out of bounds. I couldn't get tinyx to also segfault, but that doesn't mean it's impossible. It might happen on different hardware. --- kdrive/linux/mouse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kdrive/linux/mouse.c b/kdrive/linux/mouse.c index 18a8d9c..629f0da 100644 --- a/kdrive/linux/mouse.c +++ b/kdrive/linux/mouse.c @@ -729,6 +729,9 @@ static void MouseFirstProtocol(Kmouse * km, char *prot) for (i = 0; i < NUM_PROT; i++) ErrorF(" %s", kmouseProts[i]->name); ErrorF("\n"); + km->i_prot = 0; + km->prot = kmouseProts[km->i_prot]; + ErrorF("Falling back to %s\n", km->prot->name); } else { km->prot = kmouseProts[km->i_prot]; if (km->tty && !km->prot->tty) @@ -754,7 +757,7 @@ static void MouseNextProtocol(Kmouse * km) do { if (!km->prot) km->i_prot = 0; - else if (++km->i_prot == NUM_PROT) + else if (++km->i_prot >= NUM_PROT) km->i_prot = 0; km->prot = kmouseProts[km->i_prot]; } while (km->prot->tty != km->tty); From c8fd8e596e73322e48fddc9b6cb42bfdbd582c6a Mon Sep 17 00:00:00 2001 From: stefan11111 Date: Wed, 5 Feb 2025 11:25:49 +0200 Subject: [PATCH 2/2] Replace strlen with sizeof We know the size of the ps/2 init bytes at compile time. No need to call strlen. --- kdrive/linux/mouse.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kdrive/linux/mouse.c b/kdrive/linux/mouse.c index 629f0da..74f72f1 100644 --- a/kdrive/linux/mouse.c +++ b/kdrive/linux/mouse.c @@ -386,8 +386,7 @@ static const KmouseProt exps2Prot = { #define PSM_4DPLUS_ID 8 static const unsigned char ps2_init[] = { - PSMC_ENABLE_DEV, - 0, + PSMC_ENABLE_DEV }; #define NINIT_PS2 1 @@ -397,7 +396,6 @@ static const unsigned char wheel_3button_init[] = { PSMC_SET_SAMPLING_RATE, 100, PSMC_SET_SAMPLING_RATE, 80, PSMC_SEND_DEV_ID, - 0, }; #define NINIT_IMPS2 4 @@ -410,7 +408,6 @@ static const unsigned char wheel_5button_init[] = { PSMC_SET_SAMPLING_RATE, 200, PSMC_SET_SAMPLING_RATE, 80, PSMC_SEND_DEV_ID, - 0 }; #define NINIT_EXPS2 7 @@ -419,7 +416,6 @@ static const unsigned char intelli_init[] = { PSMC_SET_SAMPLING_RATE, 200, PSMC_SET_SAMPLING_RATE, 100, PSMC_SET_SAMPLING_RATE, 80, - 0 }; #define NINIT_INTELLI 3 @@ -456,9 +452,10 @@ static Bool ps2Init(KdMouseInfo * mi) int id; const unsigned char *init; int ninit; + int len; /* Send Intellimouse initialization sequence */ - MouseWriteBytes(km->iob.fd, intelli_init, strlen((char *)intelli_init), + MouseWriteBytes(km->iob.fd, intelli_init, sizeof(intelli_init), 100); /* * Send ID command @@ -471,20 +468,23 @@ static Bool ps2Init(KdMouseInfo * mi) init = wheel_3button_init; ninit = NINIT_IMPS2; km->prot = &imps2Prot; + len = sizeof(wheel_3button_init); break; case 4: init = wheel_5button_init; ninit = NINIT_EXPS2; km->prot = &exps2Prot; + len = sizeof(wheel_5button_init); break; default: init = ps2_init; ninit = NINIT_PS2; km->prot = &ps2Prot; + len = sizeof(ps2_init); break; } if (init) - MouseWriteBytes(km->iob.fd, init, strlen((char *)init), 100); + MouseWriteBytes(km->iob.fd, init, len, 100); /* * Flush out the available data to eliminate responses to the * initialization string. Make sure any partial event is