rpm/xorg-x11-server
SHA256
1
0
Fork 0
forked from pool/xorg-x11-server
Code Pull Requests Activity

Added missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch.

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=863
This commit is contained in:
Joan Torres 2023-12-13 10:09:44 +00:00 committed by Git OBS Bridge
parent d3adf84eb2
commit cdc2ed918d
1 changed files with 19 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
View File

@ -14,37 +14,33 @@ CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by: This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
--- ---
Xi/exevents.c | 8 ++++++-- Xi/exevents.c | 12 ++++++------
dix/devices.c | 11 +++++++++++ dix/devices.c | 10 ++++++++++
2 files changed, 17 insertions(+), 2 deletions(-) 2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..f24de9eec4 100644
--- a/Xi/exevents.c --- a/Xi/exevents.c
+++ b/Xi/exevents.c +++ a/Xi/exevents.c
@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) { if (from->button->xkb_acts) {
if (!to->button->xkb_acts) { - if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); - to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction)); - if (!to->button->xkb_acts)
if (!to->button->xkb_acts) - FatalError("[Xi] not enough memory for xkb_acts.\n");
FatalError("[Xi] not enough memory for xkb_acts.\n"); - }
+ } else { + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ from->button->numButtons, + maxbuttons,
+ sizeof(XkbAction)); + sizeof(XkbAction));
} + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts, memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction)); - sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction)); + from->button->numButtons * sizeof(XkbAction));
} }
else { else {
free(to->button->xkb_acts); free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index 7150734a58..deb3010206 100644
--- a/dix/devices.c --- a/dix/devices.c
+++ b/dix/devices.c +++ a/dix/devices.c
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) @@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) { if (master->button && master->button->numButtons != maxbuttons) {
@ -54,7 +50,7 @@ index 7150734a58..deb3010206 100644
DeviceChangedEvent event = { DeviceChangedEvent event = {
.header = ET_Internal, .header = ET_Internal,
.type = ET_DeviceChanged, .type = ET_DeviceChanged,
@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave) @@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
}; };
master->button->numButtons = maxbuttons; master->button->numButtons = maxbuttons;
@ -66,10 +62,7 @@ index 7150734a58..deb3010206 100644
+ 0, + 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); + (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ } + }
+
memcpy(&event.buttons.names, master->button->labels, maxbuttons * memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom)); sizeof(Atom));
-- --
2.43.0