| From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001 |
| From: Peter Hutterer <peter.hutterer@who-t.net> |
| Date: Wed, 25 Jan 2023 11:41:40 +1000 |
| Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses |
| |
| CVE-2023-0494, ZDI-CAN-19596 |
| |
| This vulnerability was discovered by: |
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| |
| Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| |
| Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec] |
| CVE: CVE-2023-0494 |
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> |
| --- |
| Xi/exevents.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/Xi/exevents.c b/Xi/exevents.c |
| index 217baa9561..dcd4efb3bc 100644 |
| --- a/Xi/exevents.c |
| +++ b/Xi/exevents.c |
| @@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) |
| memcpy(to->button->xkb_acts, from->button->xkb_acts, |
| sizeof(XkbAction)); |
| } |
| - else |
| + else { |
| free(to->button->xkb_acts); |
| + to->button->xkb_acts = NULL; |
| + } |
| |
| memcpy(to->button->labels, from->button->labels, |
| from->button->numButtons * sizeof(Atom)); |
| -- |
| GitLab |
| |