frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dix: fix button offset when generating DeviceButtonStateNotify events 

Found by Oracle Parfait 13.3 static analyzer:
   Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
      Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
       size 24 is written at an offset of 28
      Array size is 28 bytes, index is 32
        at line 743 of dix/enterleave.c in function
	 'DeliverStateNotifyEvent'.

Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
This commit is contained in:
Alan Coopersmith 2024-10-12 17:01:03 -07:00 committed by Enrico Weigelt, metux IT consult
parent 49bdf60143
commit 49a8d866ed
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dix/enterleave.c
View File

@ -740,7 +740,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
(ev - 1)->deviceid |= MORE_EVENTS; (ev - 1)->deviceid |= MORE_EVENTS;
bev->type = DeviceButtonStateNotify; bev->type = DeviceButtonStateNotify;
bev->deviceid = dev->id; bev->deviceid = dev->id;
memcpy((char *) &bev->buttons[4], (char *) &b->down[4], memcpy((char *) &bev->buttons[0], (char *) &b->down[4],
DOWN_LENGTH - 4); DOWN_LENGTH - 4);
} }