From 77e294797db17845808462b588d4e7a2130196bc Mon Sep 17 00:00:00 2001

From: Peter Hutterer <peter.hutterer@who-t.net>

Date: Thu, 14 Dec 2023 11:29:49 +1000

Subject: [PATCH xserver] dix: allocate enough space for logical button maps

Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for

each logical button currently down. Since buttons can be arbitrarily mapped

to anything up to 255 make sure we have enough bits for the maximum mapping.

CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665

This vulnerability was discovered by:

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

---

 Xi/xiquerypointer.c | 3 +--

 dix/enterleave.c    | 5 +++--

 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c

index 5b77b1a444..2b05ac5f39 100644

--- a/Xi/xiquerypointer.c

+++ b/Xi/xiquerypointer.c

@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)

     if (pDev->button) {

         int i;

-        rep.buttons_len =

-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));

+        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */

         rep.length += rep.buttons_len;

         buttons = calloc(rep.buttons_len, 4);

         if (!buttons)

diff --git a/dix/enterleave.c b/dix/enterleave.c

index 867ec74363..ded8679d76 100644

--- a/dix/enterleave.c

+++ b/dix/enterleave.c

@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,

     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);

-    /* XI 2 event */

-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;

+    /* XI 2 event contains the logical button map - maps are CARD8

+     * so we need 256 bits for the possibly maximum mapping */

+    btlen = (mouse->button) ? bits_to_bytes(256) : 0;

     btlen = bytes_to_int32(btlen);

     len = sizeof(xXIFocusInEvent) + btlen * 4;

-- 

2.43.0