Xi: Fix heap overflow in XISendDeviceHierarchyEvent (!1) · Merge requests · José Expósito / xserver

José Expósito requested to merge ZDI-CAN-22744 into master Jan 02, 2024

The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.

If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info.

Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation.

Allocate enough space to avoid a heap overflow in this situation.

ZDI-CAN-22744

This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: José Expósito jexposit@redhat.com

Admin message

Xi: Fix heap overflow in XISendDeviceHierarchyEvent

Merge request reports