From 432cb931cf1f40cbc992916fcff716db864da1af Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris2@rocketsoftware.com>
Date: Thu, 15 Jan 2026 15:54:09 -0500
Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap

If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.

In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.

Set the number of used "compat" entries when re-using previously
allocated space in the buffer.

CVE-2026-33999, ZDI-CAN-28593

This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative

Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
 xkb/xkb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index f3cc05c4e..80e63e290 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
                 return BadAlloc;
             }
         }
-        else if (req->truncateSI) {
+        else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
             compat->num_si = req->firstSI + req->nSI;
         }
         sym = &compat->sym_interpret[req->firstSI];