dix: allocate enough space for logical button maps

Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Since buttons can be arbitrarily mapped to anything up to 255 make sure we have enough bits for the maximum mapping. CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
author: Peter Hutterer <peter.hutterer@who-t.net> 2023-12-14 11:29:49 +1000
committer: José Expósito <jose.exposito89@gmail.com> 2024-01-16 09:23:47 +0100
commit: 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 (patch)
tree: 6f50a50a2825d22cba722965a9a147713d5b55f6 /dix/enterleave.c
parent: cad42fcb0850e001c7ae37179c8b94ccc42c0306 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 867ec7436..ded8679d7 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
 
     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
 
-    /* XI 2 event */
-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+    /* XI 2 event contains the logical button map - maps are CARD8
+     * so we need 256 bits for the possibly maximum mapping */
+    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
     btlen = bytes_to_int32(btlen);
     len = sizeof(xXIFocusInEvent) + btlen * 4;
author	Peter Hutterer <peter.hutterer@who-t.net>	2023-12-14 11:29:49 +1000
committer	José Expósito <jose.exposito89@gmail.com>	2024-01-16 09:23:47 +0100
commit	9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 (patch)
tree	6f50a50a2825d22cba722965a9a147713d5b55f6 /dix/enterleave.c
parent	cad42fcb0850e001c7ae37179c8b94ccc42c0306 (diff)