From 4b073d65bb5e1f4accb7ed280c8926134582b7ab Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 12 Oct 2024 17:01:03 -0700
Subject: [PATCH] dix: fix button offset when generating
 DeviceButtonStateNotify events

Found by Oracle Parfait 13.3 static analyzer:
   Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
      Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
       size 24 is written at an offset of 28
      Array size is 28 bytes, index is 32
        at line 743 of dix/enterleave.c in function
	 'DeliverStateNotifyEvent'.

Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
---
 dix/enterleave.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dix/enterleave.c b/dix/enterleave.c
index 2e7a64195..268ced662 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -740,7 +740,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
         (ev - 1)->deviceid |= MORE_EVENTS;
         bev->type = DeviceButtonStateNotify;
         bev->deviceid = dev->id;
-        memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+        memcpy((char *) &bev->buttons[0], (char *) &b->down[4],
                DOWN_LENGTH - 4);
     }