From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001

From: Peter Hutterer <peter.hutterer@who-t.net>

Date: Thu, 21 Dec 2023 13:48:10 +1000

Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of

 buttons

There's a racy sequence where a master device may copy the button class

from the slave, without ever initializing numButtons. This leads to a

device with zero buttons but a button class which is invalid.

Let's copy the numButtons value from the source - by definition if we

don't have a button class yet we do not have any other slave devices

with more than this number of buttons anyway.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

---

 Xi/exevents.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/Xi/exevents.c b/Xi/exevents.c

index 54ea11a93..e16171468 100644

--- a/Xi/exevents.c

+++ b/Xi/exevents.c

@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)

                 to->button = calloc(1, sizeof(ButtonClassRec));

                 if (!to->button)

                     FatalError("[Xi] no memory for class shift.\n");

+                to->button->numButtons = from->button->numButtons;

             }

             else

                 classes->button = NULL;

-- 

2.43.0