File bsc1218583-0003-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch of Package xorg-x11-server.39040

From 061eb684996627347acdf87ec11d108cedee71b6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 21 Dec 2023 13:48:10 +1000
Subject: [PATCH xserver] Xi: when creating a new ButtonClass, set the number
 of buttons

There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.

Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
 Xi/exevents.c | 1 +
 1 file changed, 1 insertion(+)

Index: xorg-server-1.20.3/Xi/exevents.c
===================================================================
--- xorg-server-1.20.3.orig/Xi/exevents.c
+++ xorg-server-1.20.3/Xi/exevents.c
@@ -561,6 +561,7 @@ DeepCopyPointerClasses(DeviceIntPtr from
                 to->button = calloc(1, sizeof(ButtonClassRec));
                 if (!to->button)
                     FatalError("[Xi] no memory for class shift.\n");
+                to->button->numButtons = from->button->numButtons;
             }
             else
                 classes->button = NULL;