Projects
openEuler:24.03:SP1:Everything:64G
xorg-x11-server
_service:tar_scm:backport-CVE-2023-6816.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2023-6816.patch of Package xorg-x11-server
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 From: Peter Hutterer <peter.hutterer@who-t.net> Date: Thu, 14 Dec 2023 11:29:49 +1000 Subject: [PATCH] dix: allocate enough space for logical button maps Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Since buttons can be arbitrarily mapped to anything up to 255 make sure we have enough bits for the maximum mapping. CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative --- Xi/xiquerypointer.c | 3 +-- dix/enterleave.c | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c index 5b77b1a444..2b05ac5f39 100644 --- a/Xi/xiquerypointer.c +++ b/Xi/xiquerypointer.c @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) if (pDev->button) { int i; - rep.buttons_len = - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ rep.length += rep.buttons_len; buttons = calloc(rep.buttons_len, 4); if (!buttons) diff --git a/dix/enterleave.c b/dix/enterleave.c index 867ec74363..ded8679d76 100644 --- a/dix/enterleave.c +++ b/dix/enterleave.c @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); - /* XI 2 event */ - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; + /* XI 2 event contains the logical button map - maps are CARD8 + * so we need 256 bits for the possibly maximum mapping */ + btlen = (mouse->button) ? bits_to_bytes(256) : 0; btlen = bytes_to_int32(btlen); len = sizeof(xXIFocusInEvent) + btlen * 4; -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2