Xi: when creating a new ButtonClass, set the number of buttons
There's a racy sequence where a master device may copy the button class from the slave, without ever initializing numButtons. This leads to a device with zero buttons but a button class which is invalid. Let's copy the numButtons value from the source - by definition if we don't have a button class yet we do not have any other slave devices with more than this number of buttons anyway. CVE-2024-0229, ZDI-CAN-22678 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
This commit is contained in:
		
							parent
							
								
									219c54b8a3
								
							
						
					
					
						commit
						df3c65706e
					
				|  | @ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||||||
|                 to->button = calloc(1, sizeof(ButtonClassRec)); |                 to->button = calloc(1, sizeof(ButtonClassRec)); | ||||||
|                 if (!to->button) |                 if (!to->button) | ||||||
|                     FatalError("[Xi] no memory for class shift.\n"); |                     FatalError("[Xi] no memory for class shift.\n"); | ||||||
|  |                 to->button->numButtons = from->button->numButtons; | ||||||
|             } |             } | ||||||
|             else |             else | ||||||
|                 classes->button = NULL; |                 classes->button = NULL; | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue