summaryrefslogtreecommitdiff
path: root/Xi
diff options
context:
space:
mode:
authorPeter Hutterer <peter.hutterer@who-t.net>2023-12-21 13:48:10 +1000
committerJosé Expósito <jose.exposito89@gmail.com>2024-01-16 09:24:01 +0100
commitdf3c65706eb169d5938df0052059f3e0d5981b74 (patch)
treea2ff934792bb6069f8f6ed0335050ffc97327a29 /Xi
parent219c54b8a3337456ce5270ded6a67bcde53553d5 (diff)
Xi: when creating a new ButtonClass, set the number of buttons
There's a racy sequence where a master device may copy the button class from the slave, without ever initializing numButtons. This leads to a device with zero buttons but a button class which is invalid. Let's copy the numButtons value from the source - by definition if we don't have a button class yet we do not have any other slave devices with more than this number of buttons anyway. CVE-2024-0229, ZDI-CAN-22678 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Diffstat (limited to 'Xi')
-rw-r--r--Xi/exevents.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 54ea11a93..e16171468 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
to->button = calloc(1, sizeof(ButtonClassRec));
if (!to->button)
FatalError("[Xi] no memory for class shift.\n");
+ to->button->numButtons = from->button->numButtons;
}
else
classes->button = NULL;