From 49d57b342c0003fc43045c013fa2f8d7fcfa7556 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Gr=C3=A4=C3=9Flin?= <mgraesslin@kde.org>
Date: Fri, 25 Nov 2016 13:14:14 +0100
Subject: [PATCH] [client] Fix nullptr dereference in ConfinedPointer and
 LockedPointer

The setRegion call allows a null region. This means nullptr is an
allowed value which can be passed to ConfinedPointer::setRegion and
LockedPointer::setRegion.

In that case we crash if we try to convert the Region into a wl_region.
Thus add proper nullptr check, just like in
PointerConstraints::lockPointer and ::confinePointer.

Auto test adjusted to cover the condition.
---
 .../autotests/client/test_pointer_constraints.cpp      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/wayland/autotests/client/test_pointer_constraints.cpp b/src/wayland/autotests/client/test_pointer_constraints.cpp
index d2f2e754fb..5c7be6bb82 100644
--- a/src/wayland/autotests/client/test_pointer_constraints.cpp
+++ b/src/wayland/autotests/client/test_pointer_constraints.cpp
@@ -226,6 +226,11 @@ void TestPointerConstraints::testLockPointer()
     surface->commit(Surface::CommitFlag::None);
     QVERIFY(regionChangedSpy.wait());
     QCOMPARE(serverLockedPointer->region(), QRegion(0, 5, 10, 20));
+    // and unset region again
+    lockedPointer->setRegion(nullptr);
+    surface->commit(Surface::CommitFlag::None);
+    QVERIFY(regionChangedSpy.wait());
+    QCOMPARE(serverLockedPointer->region(), QRegion());
 
     // let's lock the surface
     QSignalSpy lockedChangedSpy(serverLockedPointer.data(), &LockedPointerInterface::lockedChanged);
@@ -326,6 +331,11 @@ void TestPointerConstraints::testConfinePointer()
     surface->commit(Surface::CommitFlag::None);
     QVERIFY(regionChangedSpy.wait());
     QCOMPARE(serverConfinedPointer->region(), QRegion(0, 5, 10, 20));
+    // and unset region again
+    confinedPointer->setRegion(nullptr);
+    surface->commit(Surface::CommitFlag::None);
+    QVERIFY(regionChangedSpy.wait());
+    QCOMPARE(serverConfinedPointer->region(), QRegion());
 
     // let's confine the surface
     QSignalSpy confinedChangedSpy(serverConfinedPointer.data(), &ConfinedPointerInterface::confinedChanged);