|
 |
57dbbbe |
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
|
|
|
57dbbbe |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
57dbbbe |
Date: Thu, 14 Dec 2023 11:29:49 +1000
|
|
|
57dbbbe |
Subject: [PATCH 1/9] dix: allocate enough space for logical button maps
|
|
|
57dbbbe |
|
|
|
57dbbbe |
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
|
|
|
57dbbbe |
each logical button currently down. Since buttons can be arbitrarily mapped
|
|
|
57dbbbe |
to anything up to 255 make sure we have enough bits for the maximum mapping.
|
|
|
57dbbbe |
|
|
|
57dbbbe |
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
|
|
|
57dbbbe |
|
|
|
57dbbbe |
This vulnerability was discovered by:
|
|
|
57dbbbe |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
57dbbbe |
---
|
|
|
57dbbbe |
Xi/xiquerypointer.c | 3 +--
|
|
|
57dbbbe |
dix/enterleave.c | 5 +++--
|
|
|
57dbbbe |
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
57dbbbe |
|
|
|
57dbbbe |
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
|
|
|
57dbbbe |
index 5b77b1a44..2b05ac5f3 100644
|
|
|
57dbbbe |
--- a/Xi/xiquerypointer.c
|
|
|
57dbbbe |
+++ b/Xi/xiquerypointer.c
|
|
|
57dbbbe |
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
|
|
|
57dbbbe |
if (pDev->button) {
|
|
|
57dbbbe |
int i;
|
|
|
57dbbbe |
|
|
|
57dbbbe |
- rep.buttons_len =
|
|
|
57dbbbe |
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
|
|
|
57dbbbe |
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
|
|
|
57dbbbe |
rep.length += rep.buttons_len;
|
|
|
57dbbbe |
buttons = calloc(rep.buttons_len, 4);
|
|
|
57dbbbe |
if (!buttons)
|
|
|
57dbbbe |
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
|
|
57dbbbe |
index 867ec7436..ded8679d7 100644
|
|
|
57dbbbe |
--- a/dix/enterleave.c
|
|
|
57dbbbe |
+++ b/dix/enterleave.c
|
|
|
57dbbbe |
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
|
|
|
57dbbbe |
|
|
|
57dbbbe |
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
|
|
|
57dbbbe |
|
|
|
57dbbbe |
- /* XI 2 event */
|
|
|
57dbbbe |
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
|
|
|
57dbbbe |
+ /* XI 2 event contains the logical button map - maps are CARD8
|
|
|
57dbbbe |
+ * so we need 256 bits for the possibly maximum mapping */
|
|
|
57dbbbe |
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
|
|
|
57dbbbe |
btlen = bytes_to_int32(btlen);
|
|
|
57dbbbe |
len = sizeof(xXIFocusInEvent) + btlen * 4;
|
|
|
57dbbbe |
|
|
|
57dbbbe |
--
|
|
|
57dbbbe |
2.43.0
|
|
|
57dbbbe |
|