xcb: fix mouse event compression with certain configurations

The bug was that we are accessing memory beyond 32 bytes. It is
not safe to cast xcb_generic_event_t to Xlib's XI2 structs before
we have memmoved bits to the expected layout (for details see
QXcbConnection::xi2PrepareXIGenericDeviceEvent). We do this memmove
later in the stack, when processing the XI2 events. Here at the
compression step we can simply extract the necessary sourceId by
reading the sourceId offset in the data.

Task-number: QTBUG-68033
Change-Id: I6962bbb8f8b0834d6f780f62017fefa2de7f47df
Reviewed-by: Mikhail Svetkin <mikhail.svetkin@qt.io>
Reviewed-by: Laszlo Agocs <laszlo.agocs@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/src/plugins/platforms/xcb/qxcbconnection.cpp b/src/plugins/platforms/xcb/qxcbconnection.cpp
index 879d31f29a..d971de766d 100644
--- a/src/plugins/platforms/xcb/qxcbconnection.cpp
+++ b/src/plugins/platforms/xcb/qxcbconnection.cpp
@@ -1683,12 +1683,14 @@ bool QXcbConnection::compressEvent(xcb_generic_event_t *event, int currentIndex,
         if (!hasXInput2())
             return false;
 
-        // compress XI_Motion, but not from tablet devices
+        // compress XI_Motion
         if (isXIType(event, m_xiOpCode, XI_Motion)) {
 #if QT_CONFIG(tabletevent)
             xXIDeviceEvent *xdev = reinterpret_cast<xXIDeviceEvent *>(event);
+            // Xlib's XI2 events need memmove, see xi2PrepareXIGenericDeviceEvent()
+            auto sourceId = *reinterpret_cast<uint16_t *>(reinterpret_cast<char *>(&xdev->sourceid) + 4);
             if (!QCoreApplication::testAttribute(Qt::AA_CompressTabletEvents) &&
-                    const_cast<QXcbConnection *>(this)->tabletDataForDevice(xdev->sourceid))
+                    const_cast<QXcbConnection *>(this)->tabletDataForDevice(sourceId))
                 return false;
 #endif // QT_CONFIG(tabletevent)
             for (int j = nextIndex; j < eventqueue->size(); ++j) {