Bug 1061543

Summary: out-of-bounds access in XSetDeviceButtonMapping
Product: Red Hat Enterprise Linux 6 Reporter: Peter Hutterer <peter.hutterer>
Component: xorg-x11-serverAssignee: Peter Hutterer <peter.hutterer>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: tpelka, xgl-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: xorg-x11-server-1.15.0-20.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1061466 Environment:
Last Closed: 2014-10-14 04:53:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1061466    
Bug Blocks: 1061541    

Description Peter Hutterer 2014-02-05 03:20:58 UTC 
+++ This bug was initially created as a clone of Bug #1061466 +++

Description of problem:
XSetDeviceButtonMapping takes a user-specified map of button mappings (with a user-specified length). The server checks if each button is down before applying a mapping but it erroneously treats each button number as an array index instead of a bitflag, causing out-of-bounds access on the fixed-size array.

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg-1.14.4-5.fc20.x86_64

--- Additional comment from Fedora Update System on 2014-02-04 18:29:02 EST ---

xorg-x11-server-1.14.4-6.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xorg-x11-server-1.14.4-6.fc20
Comment 2 Peter Hutterer 2014-08-20 04:06:46 UTC 
xorg-x11-server-1.15.0-20.el6 is available in brew
Comment 4 errata-xmlrpc 2014-10-14 04:53:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1376.html