66 lines
2.0 KiB
Diff
66 lines
2.0 KiB
Diff
From 40efa6359cd184d6d1413f02e4418c9930c73f88 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Tue, 17 Dec 2024 15:19:45 +0100
|
|
Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in
|
|
compRedirectWindow()
|
|
|
|
The function compCheckRedirect() may fail if it cannot allocate the
|
|
backing pixmap.
|
|
|
|
In that case, compRedirectWindow() will return a BadAlloc error.
|
|
|
|
However that failure code path will shortcut the validation of the
|
|
window tree marked just before, which leaves the validate data partly
|
|
initialized.
|
|
|
|
That causes a use of uninitialized pointer later.
|
|
|
|
The fix is to not shortcut the call to compHandleMarkedWindows() even in
|
|
the case of compCheckRedirect() returning an error.
|
|
|
|
CVE-2025-26599, ZDI-CAN-25851
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
|
|
---
|
|
composite/compalloc.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/composite/compalloc.c b/composite/compalloc.c
|
|
index acd215002..83894aa1f 100644
|
|
--- a/composite/compalloc.c
|
|
+++ b/composite/compalloc.c
|
|
@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
|
|
CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
|
|
WindowPtr pLayerWin;
|
|
Bool anyMarked = FALSE;
|
|
+ int status = Success;
|
|
|
|
if (pWin == cs->pOverlayWin) {
|
|
return Success;
|
|
@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
|
|
|
|
if (!compCheckRedirect(pWin)) {
|
|
FreeResource(ccw->id, RT_NONE);
|
|
- return BadAlloc;
|
|
+ status = BadAlloc;
|
|
}
|
|
|
|
if (anyMarked)
|
|
compHandleMarkedWindows(pWin, pLayerWin);
|
|
|
|
- return Success;
|
|
+ return status;
|
|
}
|
|
|
|
void
|
|
--
|
|
2.48.1
|
|
|