From e8498788e8dd8be128d3425806dd47315d04f6b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Bernon?= <rbernon@codeweavers.com>
Date: Fri, 28 May 2021 16:12:17 +0200
Subject: [PATCH] server: Add hardware_msg_data size for variable size
 messages.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50506
Signed-off-by: Rémi Bernon <rbernon@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/user32/rawinput.c         |  2 +-
 include/wine/server_protocol.h |  4 +++-
 server/protocol.def            |  2 ++
 server/queue.c                 | 15 ++++++++++-----
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/dlls/user32/rawinput.c b/dlls/user32/rawinput.c
index e4e7bad508f..115513ea144 100644
--- a/dlls/user32/rawinput.c
+++ b/dlls/user32/rawinput.c
@@ -624,7 +624,7 @@ UINT WINAPI DECLSPEC_HOTPATCH GetRawInputBuffer(RAWINPUT *data, UINT *data_size,
                               data->header.dwSize - sizeof(RAWINPUTHEADER));
         data->header.dwSize += overhead;
         data = NEXTRAWINPUTBLOCK(data);
-        msg_data++;
+        msg_data = (struct hardware_msg_data *)((char *)msg_data + msg_data->size);
     }
 
     if (count == 0 && next_size == 0) *data_size = 0;
diff --git a/include/wine/server_protocol.h b/include/wine/server_protocol.h
index e200bd670fc..96b91c503a9 100644
--- a/include/wine/server_protocol.h
+++ b/include/wine/server_protocol.h
@@ -292,6 +292,8 @@ union rawinput
 struct hardware_msg_data
 {
     lparam_t             info;
+    data_size_t          size;
+    int                  __pad;
     unsigned int         hw_id;
     unsigned int         flags;
     struct hw_msg_source source;
@@ -6307,7 +6309,7 @@ union generic_reply
 
 /* ### protocol_version begin ### */
 
-#define SERVER_PROTOCOL_VERSION 708
+#define SERVER_PROTOCOL_VERSION 709
 
 /* ### protocol_version end ### */
 
diff --git a/server/protocol.def b/server/protocol.def
index 93e2f56e037..142064d30d3 100644
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -308,6 +308,8 @@ union rawinput
 struct hardware_msg_data
 {
     lparam_t             info;      /* extra info */
+    data_size_t          size;      /* size of hardware message data */
+    int                  __pad;
     unsigned int         hw_id;     /* unique id */
     unsigned int         flags;     /* hook flags */
     struct hw_msg_source source;    /* message source */
diff --git a/server/queue.c b/server/queue.c
index 5d65e030112..07d4c7e0885 100644
--- a/server/queue.c
+++ b/server/queue.c
@@ -367,6 +367,7 @@ static struct message *alloc_hardware_message( lparam_t info, struct hw_msg_sour
 
     memset( msg_data, 0, sizeof(*msg_data) );
     msg_data->info   = info;
+    msg_data->size   = msg->data_size;
     msg_data->source = source;
     return msg;
 }
@@ -1794,6 +1795,7 @@ static int queue_mouse_message( struct desktop *desktop, user_handle_t win, cons
 
         msg_data = &raw_msg.data;
         msg_data->info                = input->mouse.info;
+        msg_data->size                = sizeof(*msg_data);
         msg_data->flags               = flags;
         msg_data->rawinput.type       = RIM_TYPEMOUSE;
         msg_data->rawinput.mouse.x    = x - desktop->cursor.x;
@@ -1929,6 +1931,7 @@ static int queue_keyboard_message( struct desktop *desktop, user_handle_t win, c
 
         msg_data = &raw_msg.data;
         msg_data->info                 = input->kbd.info;
+        msg_data->size                 = sizeof(*msg_data);
         msg_data->flags                = input->kbd.flags;
         msg_data->rawinput.type        = RIM_TYPEKEYBOARD;
         msg_data->rawinput.kbd.message = message_code;
@@ -1996,6 +1999,7 @@ static void queue_custom_hardware_message( struct desktop *desktop, user_handle_
 
         msg_data = &raw_msg.data;
         msg_data->info     = 0;
+        msg_data->size     = sizeof(*msg_data);
         msg_data->flags    = 0;
         msg_data->rawinput = input->hw.rawinput;
 
@@ -3295,16 +3299,17 @@ DECL_HANDLER(get_rawinput_buffer)
     {
         struct message *msg = LIST_ENTRY( ptr, struct message, entry );
         struct hardware_msg_data *data = msg->data;
+        data_size_t extra_size = data->size - sizeof(*data);
 
         ptr = list_next( &input->msg_list, ptr );
         if (msg->msg != WM_INPUT) continue;
 
-        next_size = req->rawinput_size;
+        next_size = req->rawinput_size + extra_size;
         if (size + next_size > req->buffer_size) break;
-        if (cur + sizeof(*data) > buf + get_reply_max_size()) break;
-        if (cur + sizeof(*data) > buf + buf_size)
+        if (cur + data->size > buf + get_reply_max_size()) break;
+        if (cur + data->size > buf + buf_size)
         {
-            buf_size += buf_size / 2;
+            buf_size += buf_size / 2 + extra_size;
             if (!(tmp = realloc( buf, buf_size )))
             {
                 set_error( STATUS_NO_MEMORY );
@@ -3314,7 +3319,7 @@ DECL_HANDLER(get_rawinput_buffer)
             buf = tmp;
         }
 
-        memcpy(cur, data, sizeof(*data));
+        memcpy( cur, data, data->size );
         list_remove( &msg->entry );
         free_message( msg );