diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2023-01-25 11:41:40 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2023-02-07 10:21:52 +1000 |
commit | 9ca7d3f61a88ae6cf47fdf139b6215d745db976b (patch) | |
tree | e36bd7e695cf4073f91f101597b41922b5d3153a | |
parent | 4b925d388f76764dcb02dfd1cd7276262dcd7d74 (diff) | |
download | xserver-9ca7d3f61a88ae6cf47fdf139b6215d745db976b.tar.gz |
Xi: fix potential use-after-free in DeepCopyPointerClasses
CVE-2023-0494, ZDI-CAN-19596
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
-rw-r--r-- | Xi/exevents.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c index 217baa956..dcd4efb3b 100644 --- a/Xi/exevents.c +++ b/Xi/exevents.c @@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) memcpy(to->button->xkb_acts, from->button->xkb_acts, sizeof(XkbAction)); } - else + else { free(to->button->xkb_acts); + to->button->xkb_acts = NULL; + } memcpy(to->button->labels, from->button->labels, from->button->numButtons * sizeof(Atom)); |