From 02be6850841d143ffb6c8b15c5ecf611b81fe81c Mon Sep 17 00:00:00 2001 From: Gatis Paeglis Date: Wed, 6 Jun 2018 11:32:39 +0200 Subject: [PATCH] xcb: fix mouse event compression with certain configurations The bug was that we are accessing memory beyond 32 bytes. It is not safe to cast xcb_generic_event_t to Xlib's XI2 structs before we have memmoved bits to the expected layout (for details see QXcbConnection::xi2PrepareXIGenericDeviceEvent). We do this memmove later in the stack, when processing the XI2 events. Here at the compression step we can simply extract the necessary sourceId by reading the sourceId offset in the data. Task-number: QTBUG-68033 Change-Id: I6962bbb8f8b0834d6f780f62017fefa2de7f47df Reviewed-by: Mikhail Svetkin Reviewed-by: Laszlo Agocs --- src/plugins/platforms/xcb/qxcbconnection.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/plugins/platforms/xcb/qxcbconnection.cpp b/src/plugins/platforms/xcb/qxcbconnection.cpp index 879d31f29a..d971de766d 100644 --- a/src/plugins/platforms/xcb/qxcbconnection.cpp +++ b/src/plugins/platforms/xcb/qxcbconnection.cpp @@ -1683,12 +1683,14 @@ bool QXcbConnection::compressEvent(xcb_generic_event_t *event, int currentIndex, if (!hasXInput2()) return false; - // compress XI_Motion, but not from tablet devices + // compress XI_Motion if (isXIType(event, m_xiOpCode, XI_Motion)) { #if QT_CONFIG(tabletevent) xXIDeviceEvent *xdev = reinterpret_cast(event); + // Xlib's XI2 events need memmove, see xi2PrepareXIGenericDeviceEvent() + auto sourceId = *reinterpret_cast(reinterpret_cast(&xdev->sourceid) + 4); if (!QCoreApplication::testAttribute(Qt::AA_CompressTabletEvents) && - const_cast(this)->tabletDataForDevice(xdev->sourceid)) + const_cast(this)->tabletDataForDevice(sourceId)) return false; #endif // QT_CONFIG(tabletevent) for (int j = nextIndex; j < eventqueue->size(); ++j) {