ac18fd1e56
- Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText() - Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms() - Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey() - Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient() - Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow() - Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents() - Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger()
47 lines
1.3 KiB
Diff
47 lines
1.3 KiB
Diff
From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Wed, 4 Dec 2024 15:49:43 +1000
|
|
Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
|
|
|
|
CreateCursor returns a cursor with refcount 1 - that refcount is used by
|
|
the resource system, any caller needs to call RefCursor to get their own
|
|
reference. That happens correctly for normal cursors but for our
|
|
rootCursor we keep a variable to the cursor despite not having a ref for
|
|
ourselves.
|
|
|
|
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
|
|
valid.
|
|
|
|
Related to CVE-2025-26594, ZDI-CAN-25544
|
|
|
|
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
dix/main.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/dix/main.c b/dix/main.c
|
|
index aa7b020b2..0c57ba605 100644
|
|
--- a/dix/main.c
|
|
+++ b/dix/main.c
|
|
@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
|
|
defaultCursorFont);
|
|
}
|
|
|
|
+ rootCursor = RefCursor(rootCursor);
|
|
+
|
|
#ifdef PANORAMIX
|
|
/*
|
|
* Consolidate window and colourmap information for each screen
|
|
@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
|
|
|
|
Dispatch();
|
|
|
|
+ UnrefCursor(rootCursor);
|
|
+
|
|
UndisplayDevices();
|
|
DisableAllDevices();
|
|
|
|
--
|
|
2.48.1
|
|
|