Fix several input validation errors in the X server

CVE-2023-5367 CVE-2023-5380 CVE-2023-5574
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2023-10-25 05:16:41 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2023-10-25 05:16:41 +0000
commit: 3fa480415b22a9a0bad6388bd24d62cfa3cb8090 (patch)
tree: b121884ae3ac1a0f727193ea589dd051eab5d9af /xserver/mi/mipointer.c
parent: 6fab7f830fb5dcdce6072303c7a1b95d158d797f (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/xserver/mi/mipointer.c b/xserver/mi/mipointer.c
index a638f25d4..8cf003514 100644
--- a/xserver/mi/mipointer.c
+++ b/xserver/mi/mipointer.c
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
 #ifdef PANORAMIX
         && noPanoramiXExtension
 #endif
-        )
-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
 }
 
 /**
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2023-10-25 05:16:41 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2023-10-25 05:16:41 +0000
commit	3fa480415b22a9a0bad6388bd24d62cfa3cb8090 (patch)
tree	b121884ae3ac1a0f727193ea589dd051eab5d9af /xserver/mi/mipointer.c
parent	6fab7f830fb5dcdce6072303c7a1b95d158d797f (diff)