Bug 1061543

Summary: out-of-bounds access in XSetDeviceButtonMapping
Product: Red Hat Enterprise Linux 6 Reporter: Peter Hutterer <peter.hutterer>
Component: xorg-x11-serverAssignee: Peter Hutterer <peter.hutterer>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: tpelka, xgl-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: xorg-x11-server-1.15.0-20.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1061466 Environment:
Last Closed: 2014-10-14 04:53:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1061466    
Bug Blocks: 1061541    

Description Peter Hutterer 2014-02-05 03:20:58 UTC
+++ This bug was initially created as a clone of Bug #1061466 +++

Description of problem:
XSetDeviceButtonMapping takes a user-specified map of button mappings (with a user-specified length). The server checks if each button is down before applying a mapping but it erroneously treats each button number as an array index instead of a bitflag, causing out-of-bounds access on the fixed-size array.

Version-Release number of selected component (if applicable):

--- Additional comment from Fedora Update System on 2014-02-04 18:29:02 EST ---

xorg-x11-server-1.14.4-6.fc20 has been submitted as an update for Fedora 20.

Comment 2 Peter Hutterer 2014-08-20 04:06:46 UTC
xorg-x11-server-1.15.0-20.el6 is available in brew

Comment 4 errata-xmlrpc 2014-10-14 04:53:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.