Xi: fix potential use-after-free in DeepCopyPointerClasses

CVE-2023-0494, ZDI-CAN-19596 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
author: Peter Hutterer <peter.hutterer@who-t.net> 2023-01-25 11:41:40 +1000
committer: Peter Hutterer <peter.hutterer@who-t.net> 2023-02-07 10:21:52 +1000
commit: 9ca7d3f61a88ae6cf47fdf139b6215d745db976b (patch)
tree: e36bd7e695cf4073f91f101597b41922b5d3153a
parent: 4b925d388f76764dcb02dfd1cd7276262dcd7d74 (diff)
download: xserver-9ca7d3f61a88ae6cf47fdf139b6215d745db976b.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 217baa956..dcd4efb3b 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
             memcpy(to->button->xkb_acts, from->button->xkb_acts,
                    sizeof(XkbAction));
         }
-        else
+        else {
             free(to->button->xkb_acts);
+            to->button->xkb_acts = NULL;
+        }
 
         memcpy(to->button->labels, from->button->labels,
                from->button->numButtons * sizeof(Atom));
author	Peter Hutterer <peter.hutterer@who-t.net>	2023-01-25 11:41:40 +1000
committer	Peter Hutterer <peter.hutterer@who-t.net>	2023-02-07 10:21:52 +1000
commit	9ca7d3f61a88ae6cf47fdf139b6215d745db976b (patch)
tree	e36bd7e695cf4073f91f101597b41922b5d3153a
parent	4b925d388f76764dcb02dfd1cd7276262dcd7d74 (diff)
download	xserver-9ca7d3f61a88ae6cf47fdf139b6215d745db976b.tar.gz