From ae7db5180f0b38fea3fc6cbab022fe861b1af9f3 Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris2@rocketsoftware.com>
Date: Thu, 15 Jan 2026 15:54:09 -0500
Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap

If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.

In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.

Set the number of used "compat" entries when re-using previously
allocated space in the buffer.

CVE-2026-33999, ZDI-CAN-28593

This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative

Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
---
 xkb/xkb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index befdfcc7c..65efa69e1 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3002,7 +3002,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
                 return BadAlloc;
             }
         }
-        else if (req->truncateSI) {
+        else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
             compat->num_si = req->firstSI + req->nSI;
         }
         sym = &compat->sym_interpret[req->firstSI];