xkb: Fix buffer overflow in _XkbSetCompatMap()

Fixes #1085 (CVE-2024-9632)

Backport of this xorg-xserver upstream commit:
  commit 85b776571487f52e756f68a069c768757369bfe3
  Author: Matthieu Herrb <[email protected]>
  Date:   Thu Oct 10 10:37:28 2024 +0200

    xkb: Fix buffer overflow in _XkbSetCompatMap()

    The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
    buffer.

    However, It didn't update its size properly. It updated `num_si` only,
    without updating `size_si`.

    This may lead to local privilege escalation if the server is run as root
    or remote code execution (e.g. x11 over ssh).

    CVE-2024-9632, ZDI-CAN-24756

    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

    Reviewed-by: Peter Hutterer <[email protected]>
    Tested-by: Peter Hutterer <[email protected]>
    Reviewed-by: José Expósito <[email protected]>
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>

Author: uli42

nx-X11/programs/Xserver/xkb/xkb.c

@@ -2565,13 +2565,13 @@ ProcXkbSetCompatMap(ClientPtr client)
     if (stuff->nSI>0) {
 	xkbSymInterpretWireDesc *wire = (xkbSymInterpretWireDesc *)data;
 	XkbSymInterpretPtr	sym;
-	if ((unsigned)(stuff->firstSI+stuff->nSI)>compat->num_si) {
-	    compat->num_si= stuff->firstSI+stuff->nSI;
+	if ((unsigned) (stuff->firstSI + stuff->nSI) > compat->size_si) {
+	    compat->num_si= compat->size_si = stuff->firstSI + stuff->nSI;
 	    compat->sym_interpret= _XkbTypedRealloc(compat->sym_interpret,
-						   compat->num_si,
+						   compat->size_si,
 						   XkbSymInterpretRec);
 	    if (!compat->sym_interpret) {
-		compat->num_si= 0;
+		compat->num_si = compat->size_si = 0;
 		return BadAlloc;
 	    }
 	}