xref: /xsrc/external/mit/xorg-server/dist/test/bigreq/request-length.c

/*
 * Copyright © 2017 Broadcom
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice (including the next
 * paragraph) shall be included in all copies or substantial portions of the
 * Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 * IN THE SOFTWARE.
 */

#include <unistd.h>
#include <stdlib.h>
#include <poll.h>
#include <xcb/xcb.h>
#include <xcb/bigreq.h>
#include <xcb/xinput.h>

int main(int argc, char **argv)
{
    xcb_connection_t *c = xcb_connect(NULL, NULL);
    int fd = xcb_get_file_descriptor(c);

    struct {
        uint8_t extension;
        uint8_t opcode;
        uint16_t length;
        uint32_t length_bigreq;
        uint32_t win;
        int num_masks;
        uint16_t pad;
    } xise_req = {
        .extension = 0,
        .opcode = XCB_INPUT_XI_SELECT_EVENTS,
        /* The server triggers BadValue on a zero num_mask */
        .num_masks = 0,
        .win = 0,

        /* This is the value that triggers the bug. */
        .length_bigreq = 0,
    };

    xcb_query_extension_cookie_t cookie;
    xcb_query_extension_reply_t *rep;

    cookie = xcb_query_extension(c, 15, "XInputExtension");
    rep = xcb_query_extension_reply(c, cookie, NULL);
    xise_req.extension = rep->major_opcode;

    free(xcb_big_requests_enable_reply(c, xcb_big_requests_enable(c), NULL));

    /* Manually write out the bad request.  XCB can't help us here.*/
    write(fd, &xise_req, sizeof(xise_req));

    /* Block until the server has processed our mess and throws an
     * error. If we get disconnected, then the server has noticed what we're
     * up to. If we get an error back from the server, it looked at our fake
     * request - which shouldn't happen.
     */
    struct pollfd pfd = {
        .fd = fd,
        .events = POLLIN,
    };
    poll(&pfd, 1, -1);

    if (pfd.revents & POLLHUP) {
        /* We got killed by the server for being naughty. Yay! */
        return 0;
    }

    /* We didn't get disconnected, that's bad. If we get a BadValue from our
     * request, we at least know that the bug triggered.
     *
     * If we get anything else back, something else has gone wrong.
     */
    xcb_generic_error_t error;
    int r = read(fd, &error, sizeof(error));

    if (r == sizeof(error) &&
        error.error_code == 2 /* BadValue */  &&
        error.major_code == xise_req.extension &&
        error.minor_code == XCB_INPUT_XI_SELECT_EVENTS)
        return 1; /* Our request was processed, which shouldn't happen */

    /* Something else bad happened. We got something back but it's not the
     * error we expected. If this happens, it needs to be investigated. */

    return 2;
}