diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2023-12-21 13:48:10 +1000 |
---|---|---|
committer | José Expósito <jose.exposito89@gmail.com> | 2024-01-16 09:24:01 +0100 |
commit | df3c65706eb169d5938df0052059f3e0d5981b74 (patch) | |
tree | a2ff934792bb6069f8f6ed0335050ffc97327a29 /Xi | |
parent | 219c54b8a3337456ce5270ded6a67bcde53553d5 (diff) |
Xi: when creating a new ButtonClass, set the number of buttons
There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.
Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Diffstat (limited to 'Xi')
-rw-r--r-- | Xi/exevents.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c index 54ea11a93..e16171468 100644 --- a/Xi/exevents.c +++ b/Xi/exevents.c @@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) to->button = calloc(1, sizeof(ButtonClassRec)); if (!to->button) FatalError("[Xi] no memory for class shift.\n"); + to->button->numButtons = from->button->numButtons; } else classes->button = NULL; |