draglock: fix memory overwrite during draglock parsing

Passing in the size of the array but using it as "number of elements" inside
the function. Rename a bunch of arguments to avoid this.

https://bugs.freedesktop.org/show_bug.cgi?id=107166

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

src/draglock.c

@@ -116,7 +116,7 @@ draglock_get_meta(const struct draglock *dl)
 }
 
 size_t
-draglock_get_pairs(const struct draglock *dl, int *array, size_t sz)
+draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem)
 {
 	unsigned int i;
 	size_t last = 0;
@@ -131,8 +131,8 @@ draglock_get_pairs(const struct draglock *dl, int *array, size_t sz)
 	}
 
 	/* size N array with a[0] == 0, the rest ordered by button number */
-	memset(array, 0, sz * sizeof(array[0]));
-	for (i = 0; i < sz && i < ARRAY_SIZE(dl->lock_pair); i++) {
+	memset(array, 0, nelem * sizeof(array[0]));
+	for (i = 0; i < nelem && i < ARRAY_SIZE(dl->lock_pair); i++) {
 		array[i] = dl->lock_pair[i];
 		if (array[i] != 0 && i > last)
 			last = i;
@@ -153,20 +153,20 @@ draglock_set_meta(struct draglock *dl, int meta_button)
 }
 
 int
-draglock_set_pairs(struct draglock *dl, const int *array, size_t sz)
+draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem)
 {
 	unsigned int i;
 
-	if (sz == 0 || array[0] != 0)
+	if (nelem == 0 || array[0] != 0)
 		return 1;
 
-	for (i = 0; i < sz; i++) {
+	for (i = 0; i < nelem; i++) {
 		if (array[i] < 0 || array[i] >= DRAGLOCK_MAX_BUTTONS)
 			return 1;
 	}
 
 	dl->mode = DRAGLOCK_DISABLED;
-	for (i = 0; i < sz; i++) {
+	for (i = 0; i < nelem; i++) {
 		dl->lock_pair[i] = array[i];
 		if (dl->lock_pair[i])
 			dl->mode = DRAGLOCK_PAIRS;

src/draglock.h

@@ -107,13 +107,13 @@ draglock_get_meta(const struct draglock *dl);
  * @note Button numbers start at 1, array[0] is always 0.
  *
  * @param[in|out] array Caller-allocated array to hold the button mappings.
- * @param[in] sz Maximum number of elements in array
+ * @param[in] nelem Maximum number of elements in array
  *
  * @return The number of valid elements in array or 0 if the current mode is
  * not DRAGLOCK_PAIRS
  */
 size_t
-draglock_get_pairs(const struct draglock *dl, int *array, size_t sz);
+draglock_get_pairs(const struct draglock *dl, int *array, size_t nelem);
 
 /**
  * Set the drag lock config to the DRAGLOCK_META mode, with the given
@@ -140,7 +140,7 @@ draglock_set_meta(struct draglock *dl, int meta_button);
  * @return 0 on successor nonzero otherwise
  */
 int
-draglock_set_pairs(struct draglock *dl, const int *array, size_t sz);
+draglock_set_pairs(struct draglock *dl, const int *array, size_t nelem);
 
 /**
  * Process the given button event through the drag lock state machine.

src/xf86libinput.c

@@ -5326,7 +5326,7 @@ LibinputInitDragLockProperty(DeviceIntPtr dev,
 		break;
 	case DRAGLOCK_PAIRS:
 		sz = draglock_get_pairs(&driver_data->draglock,
-					dl_values, sizeof(dl_values));
+					dl_values, ARRAY_SIZE(dl_values));
 		break;
 	default:
 		xf86IDrvMsg(dev->public.devicePrivate,