frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: when creating a new ButtonClass, set the number of buttons 

There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.

Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

(cherry picked from commit df3c65706e)
This commit is contained in:
Peter Hutterer 2023-12-21 13:48:10 +10:00 committed by José Expósito
parent 7173a8911e
commit 8887cb1f27
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Xi/exevents.c
View File

@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
to->button = calloc(1, sizeof(ButtonClassRec)); to->button = calloc(1, sizeof(ButtonClassRec));
if (!to->button) if (!to->button)
FatalError("[Xi] no memory for class shift.\n"); FatalError("[Xi] no memory for class shift.\n");
to->button->numButtons = from->button->numButtons;
} }
else else
classes->button = NULL; classes->button = NULL;