rpms/xorg-x11-server
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8.2
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10.2
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-33.el9_7
rpms:imports/c9-beta/xorg-x11-server-1.20.11-33.el9
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_7
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-27.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8
...
pull from: rpms:c8-beta
Branches Tags
rpms:c9
rpms:c9s
rpms:c8
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8.2
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10.2
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-33.el9_7
rpms:imports/c9-beta/xorg-x11-server-1.20.11-33.el9
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_7
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-27.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

87 changed files with 2 additions and 5395 deletions
Show Stats Expand all files Collapse all files

45
SOURCES/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
View File

@ -1,45 +0,0 @@
From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 18:51:45 -0700
Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
to send reply
CVE-2024-31080
Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
Xi/xiselectev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index edcb8a0d3..ac1494987 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
InputClientsPtr others = NULL;
xXIEventMask *evmask = NULL;
DeviceIntPtr dev;
+ uint32_t length;
REQUEST(xXIGetSelectedEventsReq);
REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
}
}
+ /* save the value before SRepXIGetSelectedEvents swaps it */
+ length = reply.length;
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
if (reply.num_masks)
- WriteToClient(client, reply.length * 4, buffer);
+ WriteToClient(client, length * 4, buffer);
free(buffer);
return Success;
--
2.44.0

45
SOURCES/0001-dix-Silence-a-compiler-warning-in-doListFontsAndAlia.patch
View File

@ -1,45 +0,0 @@
From e710e570b1709d100072a8ab7d05c2aefaf41a1b Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 15 Jun 2026 14:00:19 +0200
Subject: [PATCH xserver] dix: Silence a compiler warning in
doListFontsAndAliases()
Compiler complains that "resolvedlen" might be uninitialized:
| dix/dixfonts.c:559:5: var_decl: Declaring variable "resolvedlen" without initializer.
| dix/dixfonts.c:674:17: uninit_use: Using uninitialized value "resolvedlen".
| 672| * is complete.
| 673| */
| 674|-> if (resolvedlen > XLFDMAXFONTNAMELEN) {
| 675| err = BadFontName;
| 676| goto ContBadFontName;
Most likely a false positive, while immediately after the (newly added)
test, there was a memcpy() using "resolvedlen" and the compiler did not
choke on that before.
Either way, initializing "resolvedlen" to 0 is a small price to pay to
silence the compiler warning and keep us on the safe side.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2237>
---
dix/dixfonts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 3c6c9d594..cf2b45d4f 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -556,7 +556,7 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
int err = Successful;
FontNamesPtr names = NULL;
char *name, *resolved = NULL;
- int namelen, resolvedlen;
+ int namelen, resolvedlen = 0;
int nnames;
int stringLens;
int i;
--
2.54.0

33
SOURCES/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
View File

@ -1,33 +0,0 @@
From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 22 Jan 2024 14:22:12 +1000
Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
event
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
---
dix/enterleave.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 7b7ba1098..c1e6ac600 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
ev->first_valuator = first;
switch (ev->num_valuators) {
case 6:
- ev->valuator2 = v->axisVal[first + 5];
+ ev->valuator5 = v->axisVal[first + 5];
case 5:
- ev->valuator2 = v->axisVal[first + 4];
+ ev->valuator4 = v->axisVal[first + 4];
case 4:
- ev->valuator2 = v->axisVal[first + 3];
+ ev->valuator3 = v->axisVal[first + 3];
case 3:
ev->valuator2 = v->axisVal[first + 2];
case 2:
--
2.44.0

54
SOURCES/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
View File

@ -1,54 +0,0 @@
From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Fri, 19 Jan 2024 13:05:51 +0100
Subject: [PATCH] ephyr: Fix incompatible pointer type build error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix a compilation error on 32 bits architectures with gcc 14:
ephyr_glamor_xv.c: In function ephyr_glamor_xv_init:
ephyr_glamor_xv.c:154:31: error: assignment to SetPortAttributeFuncPtr {aka int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)} from incompatible pointer type int (*)(KdScreenInfo *, Atom, INT32, void *) {aka int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)} [-Wincompatible-pointer-types]
154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
| ^
ephyr_glamor_xv.c:155:31: error: assignment to GetPortAttributeFuncPtr {aka int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)} from incompatible pointer type int (*)(KdScreenInfo *, Atom, INT32 *, void *) {aka int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)} [-Wincompatible-pointer-types]
155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
| ^
Build error logs:
https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
Signed-off-by: José Expósito <jexposit@redhat.com>
---
hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c
index 4dd15cf41..b5eae48c8 100644
--- a/hw/kdrive/ephyr/ephyr_glamor_xv.c
+++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c
@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup)
static int
ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen,
- Atom attribute, INT32 value, void *data)
+ Atom attribute, int value, void *data)
{
- return glamor_xv_set_port_attribute(data, attribute, value);
+ return glamor_xv_set_port_attribute(data, attribute, (INT32)value);
}
static int
ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen,
- Atom attribute, INT32 *value, void *data)
+ Atom attribute, int *value, void *data)
{
- return glamor_xv_get_port_attribute(data, attribute, value);
+ return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value);
}
static void
--
2.43.0

40
SOURCES/0001-os-avoid-potential-out-of-bounds-access-at-logVHdrMe.patch
View File

@ -1,40 +0,0 @@
From 5a3926455d74fe167af612ee11399c0f8cd896b5 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
Date: Wed, 17 Sep 2025 17:29:49 +0300
Subject: [PATCH xserver 01/51] os: avoid potential out-of-bounds access at
logVHdrMessageVerb
The LogVHdrMessageVerb function may access an array out of bounds in a
specific edge case. Specifically, the line:
newline = (buf[len - 1] == '\n');
can result in accessing buf[-1] if len == 0, which is undefined behavior.
Commit adds check to avoid access out of bounds at pointed line.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1841
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 8d25a8914346824f820490ba7090175dea9428cd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
os/log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/log.c b/os/log.c
index cc8219129..71210aee8 100644
--- a/os/log.c
+++ b/os/log.c
@@ -827,7 +827,7 @@ LogVHdrMessageVerb(MessageType type, int verb, const char *msg_format,
if (size - len == 1)
buf[len - 1] = '\n';
- newline = (buf[len - 1] == '\n');
+ newline = (len > 0 && buf[len - 1] == '\n');
LogSWrite(verb, buf, len, newline);
}
--
2.54.0

88
SOURCES/0001-present-Fix-use-after-free-in-present_create_notifie.patch
View File

@ -1,88 +0,0 @@
From 4d07b16328bc9c9d4f6c4c1a9a522d64bf09deda Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 2 Jul 2025 09:46:22 +0200
Subject: [PATCH xserver 1/4] present: Fix use-after-free in
present_create_notifies()
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
present/present_notify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/present/present_notify.c b/present/present_notify.c
index 445954998..00b3b68bd 100644
--- a/present/present_notify.c
+++ b/present/present_notify.c
@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
if (status != Success)
goto bail;
- added = i;
+ added++;
}
return Success;
--
2.51.1

89
SOURCES/0001-render-Avoid-0-or-less-animated-cursors.patch
View File

@ -1,89 +0,0 @@
From 4c8e10312a721aa2f36048388284a2fd4ad97043 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 28 Mar 2025 09:43:52 +0100
Subject: [PATCH xserver 1/7] render: Avoid 0 or less animated cursors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Animated cursors use a series of cursors that the client can set.
By default, the Xserver assumes at least one cursor is specified
while a client may actually pass no cursor at all.
That causes an out-of-bound read creating the animated cursor and a
crash of the Xserver:
| Invalid read of size 8
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
|
| Invalid read of size 2
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
To avoid the issue, check the number of cursors specified and return a
BadValue error in both the proc handler (early) and the animated cursor
creation (as this is a public function) if there is 0 or less cursor.
CVE-2025-49175
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit 0885e0b26225c90534642fe911632ec0779eebee)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
render/animcur.c | 3 +++
render/render.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/render/animcur.c b/render/animcur.c
index ef27bda27..77942d846 100644
--- a/render/animcur.c
+++ b/render/animcur.c
@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
int rc = BadAlloc, i;
AnimCurPtr ac;
+ if (ncursor <= 0)
+ return BadValue;
+
for (i = 0; i < screenInfo.numScreens; i++)
if (!GetAnimCurScreen(screenInfo.screens[i]))
return BadImplementation;
diff --git a/render/render.c b/render/render.c
index 456f156d4..e9bbac62d 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1788,6 +1788,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
ncursor =
(client->req_len -
(bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
+ if (ncursor <= 0)
+ return BadValue;
cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
if (!cursors)
return BadAlloc;
--
2.49.0

72
SOURCES/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
View File

@ -1,72 +0,0 @@
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 5 Apr 2024 15:24:49 +0200
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.
AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:
READ of size 4 thread T0
#0 in FreeGlyph xserver/render/glyph.c:252
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
#2 in Dispatch xserver/dix/dispatch.c:546
#3 in dix_main xserver/dix/main.c:271
#4 in main xserver/dix/stubmain.c:34
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 in __libc_start_main_impl ../csu/libc-start.c:360
#7 (/usr/bin/Xwayland+0x44fe4)
Address is located 0 bytes inside of 64-byte region
freed by thread T0 here:
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
#2 in AddGlyph xserver/render/glyph.c:295
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
#4 in Dispatch xserver/dix/dispatch.c:546
#5 in dix_main xserver/dix/main.c:271
#6 in main xserver/dix/stubmain.c:34
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
#1 in AllocateGlyph xserver/render/glyph.c:355
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
#3 in Dispatch xserver/dix/dispatch.c:546
#4 in dix_main xserver/dix/main.c:271
#5 in main xserver/dix/stubmain.c:34
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
To avoid that, make sure not to free the given glyph in AddGlyph().
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
---
render/glyph.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index 13991f8a1..5fa7f3b5b 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
TRUE, glyph->sha1);
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
- FreeGlyphPicture(glyph);
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
glyph = gr->glyph;
}
else if (gr->glyph != glyph) {
--
2.44.0

122
SOURCES/0001-sync-fix-deletion-of-counters-and-fences.patch
View File

@ -1,122 +0,0 @@
From 2b60d9c28c98f6d2c924c69c0dcbb2aa64b861eb Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:16:13 +1000
Subject: [PATCH xserver 1/9] sync: fix deletion of counters and fences
Both FreeCounter() and miSyncDestroyFence() iterate over the trigger list
and invoke the CounterDestroyed callback on each trigger.
The CounterDestroyed callback (e.g. SyncAwaitTriggerFired) may call
FreeResource/FreeAwait, which frees the SyncAwaitUnion containing all
SyncAwait structs in the same Await group.
When multiple conditions in a single Await reference the same sync
object (counter or fence), the first callback frees all SyncAwait
structs while subsequent trigger list nodes still reference them. On the
next iteration, reading ptl->next or ptl->pTrigger dereferences freed
memory, leading to a use-after-free.
We need separate fixes for separate issues here to fix this in one go
- use our null-terminated list macro to make sure our next pointer stays
valid (the code accessed ptl->next after freeing it)
- update the list head before deleting the trigger, eventually this ends
up being NULL anyway but meanwhile the list head is a valid list
during CounterDestroyed
- check if we actually do have a trigger before dereferencing the
callback
- Set all triggers to NULL if they are shared so we don't dereference
potentially freed memory
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30159 (miSyncDestroyFence), ZDI-CAN-30163 (FreeCounter)
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit f5abfb61994471023d8c6470428c8e30c411cc0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/sync.c | 32 +++++++++++++++++++++++++-------
miext/sync/misync.c | 12 ++++++++----
2 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index fd2ceb042..0079e85ed 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -1148,9 +1148,12 @@ FreeCounter(void *env, XID id)
SyncTriggerList *ptl, *pnext;
/* tell all the counter's triggers that counter has been destroyed */
- for (ptl = pCounter->sync.pTriglist; ptl; ptl = pnext) {
- (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
- pnext = ptl->next;
+ nt_list_for_each_entry_safe(ptl, pnext, pCounter->sync.pTriglist, next) {
+ /* Remove it from the list first so CounterDestroyed
+ * callbacks have a valid list to iterate */
+ pCounter->sync.pTriglist = pnext;
+ if (ptl->pTrigger)
+ (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
free(ptl); /* destroy the trigger list as we go */
}
if (IsSystemCounter(pCounter)) {
@@ -1182,13 +1185,28 @@ FreeAwait(void *addr, XID id)
for (numwaits = pAwaitUnion->header.num_waitconditions; numwaits;
numwaits--, pAwait++) {
- /* If the counter is being destroyed, FreeCounter will delete
- * the trigger list itself, so don't do it here.
+ /* If the counter is being destroyed, FreeCounter/miSyncDestroyFence
+ * will delete the trigger list itself, so don't do it here.
+ * However, we must NULL out the pTrigger pointer in the trigger list
+ * node so the destroy loop knows not to dereference it - the backing
+ * SyncAwait memory is about to be freed below.
*/
SyncObject *pSync = pAwait->trigger.pSync;
- if (pSync && !pSync->beingDestroyed)
- SyncDeleteTriggerFromSyncObject(&pAwait->trigger);
+ if (pSync) {
+ if (!pSync->beingDestroyed) {
+ SyncDeleteTriggerFromSyncObject(&pAwait->trigger);
+ } else {
+ SyncTriggerList *ptl;
+
+ nt_list_for_each_entry(ptl, pSync->pTriglist, next) {
+ if (ptl->pTrigger == &pAwait->trigger) {
+ ptl->pTrigger = NULL;
+ break;
+ }
+ }
+ }
+ }
}
free(pAwaitUnion);
return Success;
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
index 0931803f6..6a47d1cdd 100644
--- a/miext/sync/misync.c
+++ b/miext/sync/misync.c
@@ -115,10 +115,14 @@ miSyncDestroyFence(SyncFence * pFence)
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
SyncTriggerList *ptl, *pNext;
- /* tell all the fence's triggers that the counter has been destroyed */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
- pNext = ptl->next;
+ /* tell all the fence's triggers that the fence has been destroyed.
+ * Update pTriglist before each callback and free so that FreeAwait
+ * sees a valid list head when scanning for triggers to NULL out.
+ */
+ nt_list_for_each_entry_safe(ptl, pNext, pFence->sync.pTriglist, next) {
+ pFence->sync.pTriglist = pNext;
+ if (ptl->pTrigger)
+ (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
free(ptl); /* destroy the trigger list as we go */
}
--
2.54.0

54
SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
View File

@ -1,54 +0,0 @@
From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 10 Oct 2024 10:37:28 +0200
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
---
xkb/xkb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f203270d5..70e8279aa 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
XkbSymInterpretPtr sym;
unsigned int skipped = 0;
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
- compat->num_si = req->firstSI + req->nSI;
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
- compat->num_si,
+ compat->size_si,
sizeof(XkbSymInterpretRec));
if (!compat->sym_interpret) {
- compat->num_si = 0;
+ compat->num_si = compat->size_si = 0;
return BadAlloc;
}
}
--
2.46.2

47
SOURCES/0001-xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
View File

@ -1,47 +0,0 @@
From 750205e2a8ba90ce532b19a953e8dba221e62648 Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris2@rocketsoftware.com>
Date: Thu, 15 Jan 2026 15:54:09 -0500
Subject: [PATCH xserver 1/6] xkb: fix buffer re-use in _XkbSetCompatMap
If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.
In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.
Set the number of used "compat" entries when re-using previously
allocated space in the buffer.
CVE-2026-33999, ZDI-CAN-28593
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index d5f790338..b002da5bc 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3003,7 +3003,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
}
}
- else if (req->truncateSI) {
+ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
compat->num_si = req->firstSI + req->nSI;
}
sym = &compat->sym_interpret[req->firstSI];
--
2.53.0

56
SOURCES/0001-xkb-fix-int-size-mismatch.patch
View File

@ -1,56 +0,0 @@
From de8df5f72f7f1673fc1bb7a9c84ba0e7f1d5e562 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Wed, 24 Jan 2024 17:18:16 +0100
Subject: [PATCH xserver] xkb: fix int size mismatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC reports:
../xkb/xkb.c: In function _XkbSetMapCheckLength:
../xkb/xkb.c:2464:54: warning: format %ld expects argument of type long int, but argument 2 has type size_t {aka unsigned int} [-Wformat=]
2464 | ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
| ~~^
| |
| long int
| %d
2465 | len, req_len);
| ~~~
| |
| size_t {aka unsigned int}
../xkb/xkb.c:2464:62: warning: format %ld expects argument of type long int, but argument 3 has type size_t {aka unsigned int} [-Wformat=]
2464 | ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
| ~~^
| |
| long int
| %d
2465 | len, req_len);
| ~~~~~~~
| |
| size_t {aka unsigned int}
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1257>
(cherry picked from commit bc90c44e60c309564a7feec5d288ecafcbb2a62b)
---
xkb/xkb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b240b6f6c..8d52e25df 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2460,8 +2460,7 @@ _XkbSetMapCheckLength(xkbSetMapReq *req)
if (len == req_len)
return Success;
bad:
- ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
- len, req_len);
+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %zd got %zd\n", len, req_len);
return BadLength;
}
--
2.54.0

43
SOURCES/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
View File

@ -1,43 +0,0 @@
From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 18:56:27 -0700
Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
to send reply
CVE-2024-31081
Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
Xi/xipassivegrab.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index c9ac2f855..896233bec 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
GrabParameters param;
void *tmp;
int mask_len;
+ uint32_t length;
REQUEST(xXIPassiveGrabDeviceReq);
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
}
}
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
+ length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
- WriteToClient(client, rep.length * 4, modifiers_failed);
+ WriteToClient(client, length * 4, modifiers_failed);
out:
free(modifiers_failed);
--
2.44.0

47
SOURCES/0002-dix-avoid-null-ptr-deref-at-doListFontsWithInfo.patch
View File

@ -1,47 +0,0 @@
From 27d924f41a04f37ee8a16ba2419a703174c5026c Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
Date: Wed, 17 Sep 2025 17:25:40 +0300
Subject: [PATCH xserver 02/51] dix: avoid null ptr deref at
doListFontsWithInfo
In the doListFontsWithInfo function in dixfonts.c, when a font alias is
encountered (err == FontNameAlias), the code saves the current state
and allocates memory for c->savedName.
If the malloc(namelen + 1) call fails, c->savedName remains NULL,
but c->haveSaved is still set to TRUE. Later, when a font is
successfully resolved (err == Successful), the code uses c->savedName
without checking if it is NULL, so there is potential null ptr
dereference. XNFalloc will check result of malloc and stop
program execution if allocation was failed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1842
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit dd5c2595a42d3ff0c4f18d9b53d1f6c3fd934fd4)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/dixfonts.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 386c38686..b079dcf67 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -933,9 +933,8 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c)
c->haveSaved = TRUE;
c->savedNumFonts = numFonts;
free(c->savedName);
- c->savedName = malloc(namelen + 1);
- if (c->savedName)
- memmove(c->savedName, name, namelen + 1);
+ c->savedName = XNFalloc(namelen + 1);
+ memcpy(c->savedName, name, namelen + 1);
aliascount = 20;
}
if (namelen > XLFDMAXFONTNAMELEN) {
--
2.54.0

91
SOURCES/0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
View File

@ -1,91 +0,0 @@
From a99c927aec4563101f574d0a65cd451dcdd7e012 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 7 Apr 2025 16:13:34 +0200
Subject: [PATCH xserver 2/7] os: Do not overflow the integer size with
BigRequest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The BigRequest extension allows requests larger than the 16-bit length
limit.
It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.
In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.
To avoid the issue, make sure to check that the request size does not
overflow the maxBigRequestSize limit prior to any conversion.
The caller Dispatch() function however expects the return value to be in
bytes, so we cannot just return the converted value in case of error, as
that would also overflow the integer size.
To preserve the existing API, we use a negative value for the X11 error
code BadLength as the function only return positive values, 0 or -1 and
update the caller Dispatch() function to take that case into account to
return the error code to the offending client.
CVE-2025-49176
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 03731b326a80b582e48d939fe62cb1e2b10400d9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
dix/dispatch.c | 9 +++++----
os/io.c | 4 ++++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index a33bfaa9e..14ccdc57a 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -447,9 +447,10 @@ Dispatch(void)
/* now, finally, deal with client requests */
result = ReadRequestFromClient(client);
- if (result <= 0) {
- if (result < 0)
- CloseDownClient(client);
+ if (result == 0)
+ break;
+ else if (result == -1) {
+ CloseDownClient(client);
break;
}
@@ -470,7 +471,7 @@ Dispatch(void)
client->index,
client->requestBuffer);
#endif
- if (result > (maxBigRequestSize << 2))
+ if (result < 0 || result > (maxBigRequestSize << 2))
result = BadLength;
else {
result = XaceHookDispatch(client, client->majorOp);
diff --git a/os/io.c b/os/io.c
index 939f51743..a05300869 100644
--- a/os/io.c
+++ b/os/io.c
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client);
}
client->req_len = needed;
+ if (needed > MAXINT >> 2) {
+ /* Check for potential integer overflow */
+ return -(BadLength);
+ }
needed <<= 2; /* needed is in bytes now */
}
if (gotnow < needed) {
--
2.49.0

71
SOURCES/0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch
View File

@ -1,71 +0,0 @@
From 513d92540e8edba52a08f53c461e4e366bb8b385 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:17:08 +1000
Subject: [PATCH xserver 2/9] sync: restart trigger list iteration in
SyncChangeCounter after TriggerFired
This is the equivalent check to miSyncTriggerFence() from
commit f19ab94ba9c8 ("miext/sync: Fix use-after-free in miSyncTriggerFence()")
When a trigger fires via SyncAwaitTriggerFired, the resulting
FreeResource/FreeAwait call invokes SyncDeleteTriggerFromSyncObject for
every trigger in the same Await group. This unlinks and frees the
corresponding trigger list nodes - potentially including the node pnext
points to.
Fix by restarting iteration from the list head after a trigger fires, since
TriggerFired may have arbitrarily mutated the list. Triggers that have fired
are removed from the list by FreeAwait, so restarting cannot cause infinite
loops.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30164
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bdd7bf57af208b1ddf57d4683d67104443b44812)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/sync.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 0079e85ed..69a28ec14 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -718,8 +718,29 @@ SyncChangeCounter(SyncCounter * pCounter, int64_t newval)
/* run through triggers to see if any become true */
for (ptl = pCounter->sync.pTriglist; ptl; ptl = pnext) {
pnext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, oldval))
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, oldval)) {
(*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ /* TriggerFired may have called SyncDeleteTriggerFromSyncObject
+ * for sibling triggers in the same Await group, freeing their
+ * trigger list nodes - potentially including pnext. Verify
+ * pnext is still on the counter's trigger list; if not,
+ * restart from the list head.
+ *
+ * Unlike miSyncTriggerFence() we cannot use a do/while
+ * restart loop here: counter trigger lists may contain alarm
+ * triggers which are not removed after firing and would cause
+ * an infinite loop when delta is 0.
+ */
+ if (pnext) {
+ SyncTriggerList *tmp;
+ for (tmp = pCounter->sync.pTriglist; tmp; tmp = tmp->next) {
+ if (tmp == pnext)
+ break;
+ }
+ if (!tmp)
+ pnext = pCounter->sync.pTriglist;
+ }
+ }
}
if (IsSystemCounter(pCounter)) {
--
2.54.0

70
SOURCES/0002-xkb-Fix-bounds-check-in-_CheckSetGeom.patch
View File

@ -1,70 +0,0 @@
From 229b7ab7ee48cf9640d635d7db7e32ce00fcb8be Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 16:03:11 +0100
Subject: [PATCH xserver 2/6] xkb: Fix bounds check in _CheckSetGeom()
As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585)
== by 0x5AC7D5: _CheckSetGeom (xkb.c:5607)
== by 0x5AC952: _XkbSetGeometry (xkb.c:5643)
== by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684)
== by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E13B0: AllocateInputBuffer (io.c:981)
== by 0x5E05CD: InsertFakeRequest (io.c:516)
== by 0x4AA860: NextAvailableClient (dispatch.c:3629)
== by 0x5DE0D7: AllocNewConnection (connection.c:628)
== by 0x5DE2C6: EstablishNewConnections (connection.c:692)
== by 0x5DE600: HandleNotifyFd (connection.c:809)
== by 0x5E2598: ospoll_wait (ospoll.c:660)
== by 0x5DA00C: WaitForSomething (WaitFor.c:208)
== by 0x4A26E5: Dispatch (dispatch.c:493)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
Each key alias entry contains two key names (the alias and the real key
name), each of size XkbKeyNameLength.
The current bounds check only validates the first name, allowing
XkbAddGeomKeyAlias to potentially read uninitialized memory when
accessing the second name at &wire[XkbKeyNameLength].
To fix this, change the value to check to use 2 * XkbKeyNameLength to
validate the bounds.
CVE-2026-34000, ZDI-CAN-28679
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81b6a34f90b28c32ad499a78a4f391b7c06daea2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b002da5bc..9cd2afdb8 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5602,7 +5602,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
}
for (i = 0; i < req->nKeyAliases; i++) {
- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength))
return BadLength;
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
--
2.53.0

59
SOURCES/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
View File

@ -1,59 +0,0 @@
From a1d4f04bbd46957af854bea3b23d0dcb31b38afd Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 15:55:06 +0200
Subject: [PATCH xserver 2/4] xkb: Make the RT_XKBCLIENT resource private
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
include/xkbsrv.h | 2 ++
xkb/xkb.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/xkbsrv.h b/include/xkbsrv.h
index bd747856b..d801cd4b8 100644
--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "inputstr.h"
#include "events.h"
+extern RESTYPE RT_XKBCLIENT;
+
typedef struct _XkbInterest {
DeviceIntPtr dev;
ClientPtr client;
diff --git a/xkb/xkb.c b/xkb/xkb.c
index ac154e200..6c102af0a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode;
CARD32 xkbDebugFlags = 0;
static CARD32 xkbDebugCtrls = 0;
-static RESTYPE RT_XKBCLIENT;
+RESTYPE RT_XKBCLIENT = 0;
/***====================================================================***/
--
2.51.1

47
SOURCES/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
View File

@ -1,47 +0,0 @@
From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 19:07:34 -0700
Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
length to send reply
CVE-2024-31082
Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
hw/xquartz/xpr/appledri.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
index 77574655b..40422b61a 100644
--- a/hw/xquartz/xpr/appledri.c
+++ b/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
xAppleDRICreatePixmapReply rep;
int width, height, pitch, bpp;
void *ptr;
+ CARD32 stringLength;
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
+ stringLength = rep.stringLength; /* save unswapped value */
if (client->swapped) {
swaps(&rep.sequenceNumber);
swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
}
WriteToClient(client, sizeof(rep), &rep);
- WriteToClient(client, rep.stringLength, path);
+ WriteToClient(client, stringLength, path);
return Success;
}
--
2.44.0

103
SOURCES/0003-miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
View File

@ -1,103 +0,0 @@
From f6638d751790ee3f5ca672a9db303bbf5b66d020 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 16:23:23 +0100
Subject: [PATCH xserver 3/6] miext/sync: Fix use-after-free in
miSyncTriggerFence()
As reported by valgrind:
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.
On the next iteration, ptl = pNext points to freed memory...
To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.
CVE-2026-34001, ZDI-CAN-28706
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f19ab94ba9c891d801231654267556dc7f32b5e0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
miext/sync/misync.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
index 0931803f6..9a6fbbd4a 100644
--- a/miext/sync/misync.c
+++ b/miext/sync/misync.c
@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
void
miSyncTriggerFence(SyncFence * pFence)
{
- SyncTriggerList *ptl, *pNext;
+ SyncTriggerList *ptl;
+ Bool triggered;
pFence->funcs.SetTriggered(pFence);
/* run through triggers to see if any fired */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- pNext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
- }
+ do {
+ triggered = FALSE;
+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ triggered = TRUE;
+ break;
+ }
+ }
+ } while (triggered);
}
SyncScreenFuncsPtr
--
2.53.0

35
SOURCES/0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
View File

@ -1,35 +0,0 @@
From d5b66f2b1f3d9a322261d150e0da4e707a337334 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Jun 2025 08:39:02 +0200
Subject: [PATCH xserver 3/7] os: Check for integer overflow on BigRequest
length
Check for another possible integer overflow once we get a complete xReq
with BigRequest.
Related to CVE-2025-49176
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
---
os/io.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/os/io.c b/os/io.c
index a05300869..de5b3c921 100644
--- a/os/io.c
+++ b/os/io.c
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client);
}
client->req_len = needed;
+ if (needed > MAXINT >> 2)
+ return -(BadLength);
needed <<= 2;
}
if (gotnow < needed) {
--
2.49.0

49
SOURCES/0003-panoramix-avoid-null-dereference-in-PanoramiXMaybeAd.patch
View File

@ -1,49 +0,0 @@
From 5e657943933a79166d2020ee978abd8afa5fccfe Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 20 Sep 2025 16:35:46 -0700
Subject: [PATCH xserver 03/51] panoramix: avoid null dereference in
PanoramiXMaybeAddDepth()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
Error: GCC_ANALYZER_WARNING (CWE-476): [#def4]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:748:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL PanoramiXDepths
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:802:1: enter_function: entry to PanoramiXConsolidate
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:813:17: branch_true: following true branch...
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:814:9: branch_true: ...to here
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:814:9: call_function: calling PanoramiXMaybeAddDepth from PanoramiXConsolidate
746| PanoramiXDepths = reallocarray(PanoramiXDepths,
747| PanoramiXNumDepths, sizeof(DepthRec));
748|-> PanoramiXDepths[j].depth = pDepth->depth;
749| PanoramiXDepths[j].numVids = 0;
750| PanoramiXDepths[j].vids = NULL;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 537b56cccaf1759f9beef9396463b1f412614003)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/panoramiX.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index bd9c45b03..00585e3f6 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -747,8 +747,8 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth)
j = PanoramiXNumDepths;
PanoramiXNumDepths++;
- PanoramiXDepths = reallocarray(PanoramiXDepths,
- PanoramiXNumDepths, sizeof(DepthRec));
+ PanoramiXDepths = XNFreallocarray(PanoramiXDepths,
+ PanoramiXNumDepths, sizeof(DepthRec));
PanoramiXDepths[j].depth = pDepth->depth;
PanoramiXDepths[j].numVids = 0;
PanoramiXDepths[j].vids = NULL;
--
2.54.0

89
SOURCES/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
View File

@ -1,89 +0,0 @@
From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 15:58:57 +0200
Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
XkbInterest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
xkb/xkbEvents.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
index f8f65d4a7..7c669c93e 100644
--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
autoCtrls = interest->autoCtrls;
autoValues = interest->autoCtrlValues;
client = interest->client;
+ FreeResource(interest->resource, RT_XKBCLIENT);
free(interest);
found = TRUE;
}
@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
autoCtrls = victim->autoCtrls;
autoValues = victim->autoCtrlValues;
client = victim->client;
+ FreeResource(victim->resource, RT_XKBCLIENT);
free(victim);
found = TRUE;
}
--
2.51.1

50
SOURCES/0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch
View File

@ -1,50 +0,0 @@
From 7841780e7b1d0e0f5f9bb98691eaffece19d06e1 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:17:41 +1000
Subject: [PATCH xserver 3/9] xkb: reject key types with num_levels exceeding
XkbMaxShiftLevel
CheckKeyTypes validates incoming key type definitions from XkbSetMap
requests but does not enforce an upper bound on numLevels. A client can set
numLevels up to 255 on a non-canonical key type, which is stored in the
server's type table.
When ChangeKeyboardMapping later triggers XkbUpdateKeyTypesFromCore, the
function XkbKeyTypesForCoreSymbols computes groupsWidth from num_levels and
uses the XKB_OFFSET(g, l) = (g * groupsWidth) + l macro to index into
tsyms[], a stack-allocated buffer of XkbMaxSymsPerKey (252) entries. With
num_levels=255, groupsWidth=255, and indices reach up to 3*255+254 = 1019,
overflowing the 252-element stack buffer by 767 KeySym-sized entries.
Fix by rejecting numLevels values greater than XkbMaxShiftLevel (63) in
CheckKeyTypes, alongside the existing lower-bound check for numLevels < 1.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30160
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 543e108516428fc8c3bea91d6563ad266f9a801e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 2139da7ee..f190be5eb 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1644,7 +1644,7 @@ CheckKeyTypes(ClientPtr client,
}
n = i + req->firstType;
width = wire->numLevels;
- if (width < 1) {
+ if (width < 1 || width > XkbMaxShiftLevel) {
*nMapsRtrn = _XkbErrCode3(0x04, n, width);
return 0;
}
--
2.54.0

48
SOURCES/0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
View File

@ -1,48 +0,0 @@
From b4f63879f2a5cf0578101591f26471238f944e9c Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:46:03 +0200
Subject: [PATCH xserver 4/7] os: Account for bytes to ignore when sharing
input buffer
When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.
To avoid the issue, make sure we have zero bytes to ignore left in the
input request when sharing the input buffer with another client.
CVE-2025-49178
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
os/io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/io.c b/os/io.c
index de5b3c921..b7f2750b5 100644
--- a/os/io.c
+++ b/os/io.c
@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
*/
gotnow -= needed;
- if (!gotnow)
+ if (!gotnow && !oci->ignoreBytes)
AvailableInput = oc;
if (move_header) {
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
--
2.49.0

71
SOURCES/0004-panoramix-avoid-null-dereference-in-PanoramiXConsoli.patch
View File

@ -1,71 +0,0 @@
From bd7f4a48a5187dd32d3a0791a407432933af0c1d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 20 Sep 2025 16:45:59 -0700
Subject: [PATCH xserver 04/51] panoramix: avoid null dereference in
PanoramiXConsolidate()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
Error: GCC_ANALYZER_WARNING (CWE-476): [#def5]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:820:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL root
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:819:12: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:820:5: danger: root could be NULL: unchecked value from (1)
818|
819| root = malloc(sizeof(PanoramiXRes));
820|-> root->type = XRT_WINDOW;
821| defmap = malloc(sizeof(PanoramiXRes));
822| defmap->type = XRT_COLORMAP;
Error: GCC_ANALYZER_WARNING (CWE-476): [#def6]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:822:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL defmap
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:821:14: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:822:5: danger: defmap could be NULL: unchecked value from (1)
820| root->type = XRT_WINDOW;
821| defmap = malloc(sizeof(PanoramiXRes));
822|-> defmap->type = XRT_COLORMAP;
823| saver = malloc(sizeof(PanoramiXRes));
824| saver->type = XRT_WINDOW;
Error: GCC_ANALYZER_WARNING (CWE-476): [#def7]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:824:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL saver
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:823:13: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:824:5: danger: saver could be NULL: unchecked value from (1)
822| defmap->type = XRT_COLORMAP;
823| saver = malloc(sizeof(PanoramiXRes));
824|-> saver->type = XRT_WINDOW;
825|
826| FOR_NSCREENS(i) {
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 23c103d41f35cc030b0c0e973f7f3bcb8d9902a0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/panoramiX.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 00585e3f6..2029b353d 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -820,11 +820,11 @@ PanoramiXConsolidate(void)
for (i = 0; i < pScreen->numVisuals; i++)
PanoramiXMaybeAddVisual(pVisual++);
- root = malloc(sizeof(PanoramiXRes));
+ root = XNFcallocarray(1, sizeof(PanoramiXRes));
root->type = XRT_WINDOW;
- defmap = malloc(sizeof(PanoramiXRes));
+ defmap = XNFcallocarray(1, sizeof(PanoramiXRes));
defmap->type = XRT_COLORMAP;
- saver = malloc(sizeof(PanoramiXRes));
+ saver = XNFcallocarray(1, sizeof(PanoramiXRes));
saver->type = XRT_WINDOW;
FOR_NSCREENS(i) {
--
2.54.0

112
SOURCES/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
View File

@ -1,112 +0,0 @@
From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 30 Jan 2024 13:13:35 +1000
Subject: [PATCH 4/4] render: fix refcounting of glyphs during
ProcRenderAddGlyphs
Previously, AllocateGlyph would return a new glyph with refcount=0 and a
re-used glyph would end up not changing the refcount at all. The
resulting glyph_new array would thus have multiple entries pointing to
the same non-refcounted glyphs.
AddGlyph may free a glyph, resulting in a UAF when the same glyph
pointer is then later used.
Fix this by returning a refcount of 1 for a new glyph and always
incrementing the refcount for a re-used glyph, followed by dropping that
refcount back down again when we're done with it.
CVE-2024-31083, ZDI-CAN-22880
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
render/glyph.c | 5 +++--
render/glyphstr_priv.h | 1 +
render/render.c | 15 +++++++++++----
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index 850ea8440..13991f8a1 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
}
}
-static void
+void
FreeGlyph(GlyphPtr glyph, int format)
{
CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
+ BUG_RETURN(glyph->refcnt == 0);
if (--glyph->refcnt == 0) {
GlyphRefPtr gr;
int i;
@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
glyph = (GlyphPtr) malloc(size);
if (!glyph)
return 0;
- glyph->refcnt = 0;
+ glyph->refcnt = 1;
glyph->size = size + sizeof(xGlyphInfo);
glyph->info = *gi;
dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
diff --git a/render/glyphstr.h b/render/glyphstr.h
index 2f51bd244..3b1d806d1 100644
--- a/render/glyphstr.h
+++ b/render/glyphstr.h
@@ -108,6 +108,7 @@ extern Bool
extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
+extern void FreeGlyph(GlyphPtr glyph, int format);
extern Bool
ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
diff --git a/render/render.c b/render/render.c
index 29c5055c6..fe5e37dd9 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
glyph_new->found = TRUE;
+ ++glyph_new->glyph->refcnt;
}
else {
GlyphPtr glyph;
@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
err = BadAlloc;
goto bail;
}
- for (i = 0; i < nglyphs; i++)
+ for (i = 0; i < nglyphs; i++) {
AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
+ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
+ }
if (glyphsBase != glyphsLocal)
free(glyphsBase);
@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
FreePicture((void *) pSrc, 0);
if (pSrcPix)
FreeScratchPixmapHeader(pSrcPix);
- for (i = 0; i < nglyphs; i++)
- if (glyphs[i].glyph && !glyphs[i].found)
- free(glyphs[i].glyph);
+ for (i = 0; i < nglyphs; i++) {
+ if (glyphs[i].glyph) {
+ --glyphs[i].glyph->refcnt;
+ if (!glyphs[i].found)
+ free(glyphs[i].glyph);
+ }
+ }
if (glyphsBase != glyphsLocal)
free(glyphsBase);
return err;
--
2.44.0

91
SOURCES/0004-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
View File

@ -1,91 +0,0 @@
From 5842fd1fcce48ec98bdcce75b804210584ea35e2 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 17:02:09 +0100
Subject: [PATCH xserver 4/6] xkb: Fix out-of-bounds read in CheckModifierMap()
As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x547E5B: CheckModifierMap (xkb.c:1972)
== by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
== by 0x54A845: ProcXkbSetMap (xkb.c:2741)
== by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
== by 0x454A8C: Dispatch (dispatch.c:553)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x592D5A: AllocateInputBuffer (io.c:981)
== by 0x591F77: InsertFakeRequest (io.c:516)
== by 0x45CA27: NextAvailableClient (dispatch.c:3629)
== by 0x58FA81: AllocNewConnection (connection.c:628)
== by 0x58FC70: EstablishNewConnections (connection.c:692)
== by 0x58FFAA: HandleNotifyFd (connection.c:809)
== by 0x593F42: ospoll_wait (ospoll.c:660)
== by 0x58B9B6: WaitForSomething (WaitFor.c:208)
== by 0x4548AC: Dispatch (dispatch.c:493)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
The issue is that the loop in CheckModifierMap() reads from wire without
verifying that the data is within the request bounds.
The req->totalModMapKeys value could exceed the actual data provided,
causing reads of uninitialized memory.
To fix that issue, we add a bounds check using _XkbCheckRequestBounds,
but for that, we need to also pass a ClientPtr parameter, which is not
a problem since CheckModifierMap() is a private, static function.
CVE-2026-34002, ZDI-CAN-28737
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f056ce1cc96ed9261052c31524162c78e458f98c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 9cd2afdb8..f47ffbc5d 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
static int
-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
- int *errRtrn)
+CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
+ CARD8 **wireRtrn, int *errRtrn)
{
register CARD8 *wire = *wireRtrn;
CARD8 *start;
@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
}
start = wire;
for (i = 0; i < req->totalModMapKeys; i++, wire += 2) {
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errRtrn = _XkbErrCode4(0x63, first, last, wire[0]);
return 0;
@@ -2567,7 +2571,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
return BadValue;
}
if ((req->present & XkbModifierMapMask) &&
- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
2.53.0

49
SOURCES/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
View File

@ -1,49 +0,0 @@
From c7beaec76c556870e5566b84dce7099bf28f9502 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 16:30:29 +0200
Subject: [PATCH xserver 4/4] xkb: Prevent overflow in XkbSetCompatMap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
xkb/xkb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 6c102af0a..a77fe7ff0 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
XkbSymInterpretPtr sym;
unsigned int skipped = 0;
+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
+ return BadValue;
if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
--
2.51.1

53
SOURCES/0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch
View File

@ -1,53 +0,0 @@
From 50b6eeda460f0badea82f689442461fea7f7af2a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:18:13 +1000
Subject: [PATCH xserver 4/9] xkb: clamp nMaps to mapWidths buffer size in
CheckKeyTypes
CheckKeyTypes computes nMaps = firstType + nTypes from client-controlled
request fields when XkbSetMapResizeTypes is set. This value is used to
index mapWidths[], a stack-allocated CARD8 array of XkbMaxLegalKeyCode + 1
(256) elements. No upper bound is enforced on nMaps.
An attacker can first send SetMap(firstType=0, nTypes=255, ResizeTypes) to
set the server's num_types to 255, then send SetMap(firstType=255,
nTypes=10, ResizeTypes). The firstType > num_types check passes because
255 > 255 is false (the check uses > rather than >=). nMaps is then
computed as 265, and the loop writes mapWidths[255..264], overflowing 9
bytes past the stack buffer into adjacent stack variables (symsPerKey[]).
Fix by rejecting requests where firstType + nTypes would exceed the
mapWidths buffer size (XkbMaxLegalKeyCode + 1).
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30161
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 867b59b33bee669cb412f1314e47c52eacf6e00b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
xkb/xkb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f190be5eb..f92ba9c3d 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1617,6 +1617,11 @@ CheckKeyTypes(ClientPtr client,
*nMapsRtrn = _XkbErrCode4(0x02, req->firstType, req->nTypes, 4);
return 0;
}
+ if (nMaps > XkbMaxLegalKeyCode + 1) {
+ *nMapsRtrn = _XkbErrCode4(0x02, req->firstType, req->nTypes,
+ XkbMaxLegalKeyCode + 1);
+ return 0;
+ }
}
else if (req->present & XkbKeyTypesMask) {
nMaps = xkb->map->num_types;
--
2.54.0

43
SOURCES/0005-Xext-shm-avoid-null-dereference-in-ShmInitScreenPriv.patch
View File

@ -1,43 +0,0 @@
From 70c8842c14764e0cfb343cbe4c29acfedb4b0bc3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 12:18:49 -0700
Subject: [PATCH xserver 05/51] Xext/shm: avoid null dereference in
ShmInitScreenPriv()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:213:23: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:214:9: danger: screen_priv could be NULL: unchecked value from [(19)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/18)
# 212| if (!screen_priv) {
# 213| screen_priv = calloc(1, sizeof(ShmScrPrivateRec));
# 214|-> screen_priv->CloseScreen = pScreen->CloseScreen;
# 215| dixSetPrivate(&pScreen->devPrivates, shmScrPrivateKey, screen_priv);
# 216| pScreen->CloseScreen = ShmCloseScreen;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 87e53afd9c7f52a8fa3d1fed22db5380742cc7b7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/shm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/shm.c b/Xext/shm.c
index 24c6b1087..2b23a15fe 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -210,7 +210,7 @@ ShmInitScreenPriv(ScreenPtr pScreen)
ShmScrPrivateRec *screen_priv = ShmGetScreenPriv(pScreen);
if (!screen_priv) {
- screen_priv = calloc(1, sizeof(ShmScrPrivateRec));
+ screen_priv = XNFcallocarray(1, sizeof(ShmScrPrivateRec));
screen_priv->CloseScreen = pScreen->CloseScreen;
dixSetPrivate(&pScreen->devPrivates, shmScrPrivateKey, screen_priv);
pScreen->CloseScreen = ShmCloseScreen;
--
2.54.0

154
SOURCES/0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch
View File

@ -1,154 +0,0 @@
From f7f8b663c7d19cfbd29c8ea16ca6475d6a5f0af0 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:18:48 +1000
Subject: [PATCH xserver 5/9] glx: fix reversed length check in
ChangeDrawableAttributes
The request length validation in __glXDisp_ChangeDrawableAttributes and
__glXDispSwap_ChangeDrawableAttributes uses the wrong comparison direction.
The check tests whether the computed request size is LESS THAN
client->req_len, but should test whether it is GREATER THAN. With the
reversed operator, an undersized request (where numAttribs claims more
attribute pairs than the request actually contains) passes validation.
DoChangeDrawableAttributes then iterates numAttribs attribute pairs starting
from the end of the request header, reading past the actual request data
into adjacent memory. This is an out-of-bounds read that can also cause
an out-of-bounds write when a GLX_EVENT_MASK attribute key is found in the
overread data and its corresponding value is written to pGlxDraw->eventMask.
This patch effectively reverts commit 402b329c3aa8 ("glx: Work around
wrong request lengths sent by mesa"). This was fixed in mesa commit
4324d6fdfbba1 in 2011 (mesa 7.11).
Fixes: 402b329c3aa8 ("glx: Work around wrong request lengths sent by mesa")
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30165
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 6d459e4daf715bea8abdafa8fb130be2f8a1d145)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
glx/glxcmds.c | 21 +++++----------------
glx/glxcmdsswap.c | 12 +++++-------
2 files changed, 10 insertions(+), 23 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 75e42823c..758308432 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1122,8 +1122,7 @@ __glXDisp_GetFBConfigsSGIX(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
- REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1344,9 +1343,7 @@ __glXDisp_DestroyPixmap(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
- * length to 3 instead of 2 */
- REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1495,14 +1492,8 @@ __glXDisp_ChangeDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
client->errorValue = req->numAttribs;
return BadValue;
}
-#if 0
- /* mesa sends an additional 8 bytes */
+
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
-#else
- if (((sizeof(xGLXChangeDrawableAttributesReq) +
- (req->numAttribs << 3)) >> 2) < client->req_len)
- return BadLength;
-#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1569,8 +1560,7 @@ __glXDisp_DestroyWindow(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
- REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1923,8 +1913,7 @@ __glXDisp_GetDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *) pc;
- /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
- REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 7d6674470..96382672a 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -235,7 +235,7 @@ __glXDispSwap_GetFBConfigsSGIX(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -327,7 +327,7 @@ __glXDispSwap_DestroyPixmap(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -440,9 +440,7 @@ __glXDispSwap_ChangeDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
client->errorValue = req->numAttribs;
return BadValue;
}
- if (((sizeof(xGLXChangeDrawableAttributesReq) +
- (req->numAttribs << 3)) >> 2) < client->req_len)
- return BadLength;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32 *) (req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -514,7 +512,7 @@ __glXDispSwap_DestroyWindow(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -723,7 +721,7 @@ __glXDispSwap_GetDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
--
2.54.0

64
SOURCES/0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
View File

@ -1,64 +0,0 @@
From d943eaa6b8584e7ceebd73ee59bd84e99b09be5d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 11:47:15 +0200
Subject: [PATCH xserver 5/7] record: Check for overflow in
RecordSanityCheckRegisterClients()
The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.
To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.
This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.
CVE-2025-49179
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
record/record.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/record/record.c b/record/record.c
index a8aec23bd..afaceb55c 100644
--- a/record/record.c
+++ b/record/record.c
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
#include "inputstr.h"
#include "eventconvert.h"
#include "scrnintstr.h"
+#include "opaque.h"
#include <stdio.h>
#include <assert.h>
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
int i;
XID recordingClient;
+ /* LimitClients is 2048 at max, way less that MAXINT */
+ if (stuff->nClients > LimitClients)
+ return BadValue;
+
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
+ return BadValue;
+
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
return BadLength;
--
2.49.0

112
SOURCES/0005-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
View File

@ -1,112 +0,0 @@
From 5d6f378904ec5c7ae22e9ba4afd15e889a0a1df5 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 23 Feb 2026 15:52:49 +0100
Subject: [PATCH xserver 5/6] xkb: Add additional bound checking in
CheckKeyTypes()
The function CheckKeyTypes() will loop over the client's request but
won't perform any additional bound checking to ensure that the data
read remains within the request bounds.
As a result, a specifically crafted request may cause CheckKeyTypes() to
read past the request data, as reported by valgrind:
== Invalid read of size 2
== at 0x5A3D1D: CheckKeyTypes (xkb.c:1694)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 30 bytes after a block of size 28,672 in arena "client"
==
== Invalid read of size 2
== at 0x5A3AB6: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
== Invalid write of size 2
== at 0x5A3AD7: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
To avoid that issue, add additional bounds checking within the loops by
calling _XkbCheckRequestBounds() and report an error if we are to read
past the client's request.
CVE-2026-34003, ZDI-CAN-28736
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f47ffbc5d..1ee9cfb6f 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client,
for (i = 0; i < req->nTypes; i++) {
unsigned width;
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i);
+ return 0;
+ }
if (client->swapped) {
swaps(&wire->virtualMods);
}
@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client,
xkbModsWireDesc *preWire;
mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1];
+ if (!_XkbCheckRequestBounds(client, req, mapWire,
+ &mapWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries);
+ return 0;
+ }
preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries];
+ if (wire->preserve &&
+ !_XkbCheckRequestBounds(client, req, preWire,
+ &preWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries);
+ return 0;
+ }
for (n = 0; n < wire->nMapEntries; n++) {
if (client->swapped) {
swaps(&mapWire[n].virtualMods);
--
2.53.0

90
SOURCES/0006-Xext-sync-avoid-null-dereference-if-SysCounterGetPri.patch
View File

@ -1,90 +0,0 @@
From 03aeaee358fc6a34a851f875d37df405240879c1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 15:26:19 -0700
Subject: [PATCH xserver 06/51] Xext/sync: avoid null dereference if
SysCounterGetPrivate() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2664:9: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2662| SyncCounter *counter = pCounter;
# 2663| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2664|-> deviceid = priv->deviceid;
# 2665| }
# 2666| else
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2677:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2675| SyncCounter *counter = pCounter;
# 2676| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2677|-> int64_t *less = priv->value_less;
# 2678| int64_t *greater = priv->value_greater;
# 2679| int64_t idle, old_idle;
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2767:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2765| SyncCounter *counter = pCounter;
# 2766| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2767|-> int64_t *less = priv->value_less;
# 2768| int64_t *greater = priv->value_greater;
# 2769| int64_t idle;
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2800:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2798| SyncCounter *counter = pCounter;
# 2799| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2800|-> int64_t *less = priv->value_less;
# 2801| int64_t *greater = priv->value_greater;
# 2802| Bool registered = (less || greater);
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0211de37b340eccfc0bad6a3ea13b27810b11a30)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Xext/sync.c b/Xext/sync.c
index c3d160327..09a14ac3c 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -2695,9 +2695,11 @@ IdleTimeQueryValue(void *pCounter, int64_t *pValue_return)
int deviceid;
CARD32 idle;
+ *pValue_return = 0;
if (pCounter) {
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
deviceid = priv->deviceid;
}
else
@@ -2711,6 +2713,7 @@ IdleTimeBlockHandler(void *pCounter, void *wt)
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
int64_t idle, old_idle;
@@ -2801,6 +2804,7 @@ IdleTimeWakeupHandler(void *pCounter, int rc)
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
int64_t idle;
@@ -2834,6 +2838,7 @@ IdleTimeBracketValues(void *pCounter, int64_t *pbracket_less,
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
Bool registered = (less || greater);
--
2.54.0

43
SOURCES/0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
View File

@ -1,43 +0,0 @@
From 3d44c08d94e850769d7d16fce0596536370253b1 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 20 May 2025 15:18:19 +0200
Subject: [PATCH xserver 6/7] randr: Check for overflow in
RRChangeProviderProperty()
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().
To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.
CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 3c3a4b767b16174d3213055947ea7f4f88e10ec6)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
randr/rrproviderproperty.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9b..7088570ee 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
if (mode == PropModeReplace || len > 0) {
void *new_data = NULL, *old_data = NULL;
-
+ if (total_len > MAXINT / size_in_bytes)
+ return BadValue;
total_size = total_len * size_in_bytes;
new_value.data = (void *) malloc(total_size);
if (!new_value.data && total_size) {
--
2.49.0

74
SOURCES/0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch
View File

@ -1,74 +0,0 @@
From 637343690922ccd44bedf4e524357b0593067fa2 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:19:20 +1000
Subject: [PATCH xserver 6/9] saver: re-fetch screen private after
CheckScreenPrivate in CreateSaverWindow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CreateSaverWindow stores pPriv (the ScreenSaverScreenPrivatePtr) in a local
variable via the SetupScreen macro at function entry. When an existing saver
window is being replaced, the function sets pPriv->hasWindow = FALSE and
calls CheckScreenPrivate(). If at this point pPriv->attr is NULL (cleared
by a prior UnsetAttributes call), pPriv->events is NULL, and
pPriv->installedMap is None, then CheckScreenPrivate determines the screen
private is unused, frees it, and sets the screen private pointer to NULL.
The function then continues to dereference the now-freed pPriv on the very
next line (pPriv->attr), resulting in a use-after-free. On glibc 2.34+,
the tcache key at offset 8 within the freed block makes pPriv->attr appear
non-NULL, causing the function to continue operating on garbage data and
eventually crash.
The attack sequence is:
1. SetAttributes (creates pPriv with pPriv->attr set)
2. ForceScreenSaver(Active) (creates saver window, pPriv->hasWindow=TRUE)
3. UnsetAttributes (sets pPriv->attr = NULL)
4. ForceScreenSaver(Active) (re-enters CreateSaverWindow → UAF)
Fix by re-fetching pPriv from the screen private after CheckScreenPrivate
returns, so the subsequent NULL check correctly detects the freed state.
ScreenSaverFreeAttr has the same pattern, force pPriv to NULL there too
even though it has no real effect.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30168
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit ecc634f1b2f7aa473d3a267eada98c4918bf9e05)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/saver.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Xext/saver.c b/Xext/saver.c
index c27a66c80..f750ef4cd 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -348,6 +348,9 @@ ScreenSaverFreeAttr(void *value, XID id)
dixSaveScreens(serverClient, SCREEN_SAVER_FORCER, ScreenSaverActive);
}
CheckScreenPrivate(pScreen);
+ /* CheckScreenPrivate may have freed pPriv (same pattern as
+ * CreateSaverWindow fix for ZDI-CAN-30168). */
+ pPriv = NULL;
return TRUE;
}
@@ -479,6 +482,8 @@ CreateSaverWindow(ScreenPtr pScreen)
UninstallSaverColormap(pScreen);
pPriv->hasWindow = FALSE;
CheckScreenPrivate(pScreen);
+ /* Re-fetch pPriv since CheckScreenPrivate may have freed it */
+ pPriv = GetScreenPrivate(pScreen);
}
}
--
2.54.0

221
SOURCES/0006-xkb-Add-more-_XkbCheckRequestBounds.patch
View File

@ -1,221 +0,0 @@
From 7c03d504c2b6ca498e0ff3761b000d77788f0c23 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 2 Mar 2026 14:09:57 +0100
Subject: [PATCH xserver 6/6] xkb: Add more _XkbCheckRequestBounds()
Similar to the recent fixes, add more _XkbCheckRequestBounds() to the
functions that loop over the request data, i.e.:
* CheckKeySyms()
* CheckKeyActions()
* CheckKeyBehaviors()
* CheckVirtualMods()
* CheckKeyExplicit()
* CheckVirtualModMap()
* _XkbSetMapChecks()
All these are static functions so we can add the client to the parameters
without breaking any API.
See also:
CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737
v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d38c563fab5c4a554e0939da39e4d1dadef7cbae)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 55 insertions(+), 14 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 1ee9cfb6f..f81d20655 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client,
KeySym *pSyms;
register unsigned nG;
+ /* Check we received enough data to read the next xkbSymMapWireDesc */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i);
+ return 0;
+ }
if (client->swapped) {
swaps(&wire->nSyms);
}
@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client,
return 0;
}
pSyms = (KeySym *) &wire[1];
+ if (wire->nSyms != 0) {
+ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) {
+ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms);
+ return 0;
+ }
+ }
wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms];
}
@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client,
}
static int
-CheckKeyActions(XkbDescPtr xkb,
- xkbSetMapReq * req,
- int nTypes,
- CARD8 *mapWidths,
- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
+CheckKeyActions(ClientPtr client,
+ XkbDescPtr xkb,
+ xkbSetMapReq * req,
+ int nTypes,
+ CARD8 *mapWidths,
+ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
{
int nActs;
CARD8 *wire = *wireRtrn;
@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb,
CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn),
0);
for (nActs = i = 0; i < req->nKeyActs; i++) {
+ /* Check we received enough data to read the next byte on the wire */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i);
+ return 0;
+ }
if (wire[0] != 0) {
if (wire[0] == symsPerKey[i + req->firstKeyAct])
nActs += wire[0];
@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb,
}
static int
-CheckKeyBehaviors(XkbDescPtr xkb,
+CheckKeyBehaviors(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn)
{
@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
for (i = 0; i < req->totalKeyBehaviors; i++, wire++) {
+ /* Check we received enough data to read the next behavior */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x36, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errorRtrn = _XkbErrCode4(0x33, first, last, wire->key);
return 0;
@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
static int
-CheckVirtualMods(XkbDescRec * xkb,
+CheckVirtualMods(ClientPtr client,
+ XkbDescRec * xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb,
if (req->virtualMods & bit)
nMods++;
}
+ /* Check we received enough data for the number of virtual mods expected */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) {
+ *errorRtrn = _XkbErrCode3(0x37, nMods, i);
+ return 0;
+ }
*wireRtrn = (wire + XkbPaddedSize(nMods));
return 1;
}
static int
-CheckKeyExplicit(XkbDescPtr xkb,
+CheckKeyExplicit(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
start = wire;
for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) {
+ /* Check we received enough data to read the next two bytes */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errorRtrn = _XkbErrCode4(0x54, first, last, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]);
return 0;
@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
}
static int
-CheckVirtualModMap(XkbDescPtr xkb,
+CheckVirtualModMap(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbVModMapWireDesc ** wireRtrn, int *errRtrn)
{
@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb,
return 0;
}
for (i = 0; i < req->totalVModMapKeys; i++, wire++) {
+ /* Check we received enough data to read the next virtual mod map key */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errRtrn = _XkbErrCode3(0x74, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errRtrn = _XkbErrCode4(0x73, first, last, wire->key);
return 0;
@@ -2562,7 +2603,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
}
if ((req->present & XkbKeyActionsMask) &&
- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey,
+ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey,
(CARD8 **) &values, &nActions))) {
client->errorValue = nActions;
return BadValue;
@@ -2570,18 +2611,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
if ((req->present & XkbKeyBehaviorsMask) &&
(!CheckKeyBehaviors
- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbVirtualModsMask) &&
- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbExplicitComponentsMask) &&
- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
@@ -2592,7 +2633,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
}
if ((req->present & XkbVirtualModMapMask) &&
(!CheckVirtualModMap
- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
2.53.0

47
SOURCES/0007-Xext-sync-avoid-null-dereference-in-init_system_idle.patch
View File

@ -1,47 +0,0 @@
From 2d2fcd6c83bbc174d1ae178388e7ae0d8297da56 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 15:40:22 -0700
Subject: [PATCH xserver 07/51] Xext/sync: avoid null dereference in
init_system_idle_counter()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2837:28: danger: priv could be NULL: unchecked value from [(30)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/29)
# 2835| IdleCounterPriv *priv = malloc(sizeof(IdleCounterPriv));
# 2836|
# 2837|-> priv->value_less = priv->value_greater = NULL;
# 2838| priv->deviceid = deviceid;
# 2839|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 304d21854d349b21dd8deb8a8f319637f17bd4a8)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 09a14ac3c..8fd7e947e 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -2876,8 +2876,10 @@ init_system_idle_counter(const char *name, int deviceid)
if (idle_time_counter != NULL) {
IdleCounterPriv *priv = malloc(sizeof(IdleCounterPriv));
- priv->value_less = priv->value_greater = NULL;
- priv->deviceid = deviceid;
+ if (priv) {
+ priv->value_less = priv->value_greater = NULL;
+ priv->deviceid = deviceid;
+ }
idle_time_counter->pSysCounterInfo->private = priv;
}
--
2.54.0

90
SOURCES/0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch
View File

@ -1,90 +0,0 @@
From 574f2e975aa8f2942f33b7fa35a33d20f27cdc02 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 29 Apr 2026 05:40:33 +0000
Subject: [PATCH xserver 7/9] dix: increase XLFDMAXFONTNAMELEN to match
libXfont2's MAXFONTNAMELEN
XLFDMAXFONTNAMELEN was 256 bytes, but libXfont2 defines MAXFONTNAMELEN
as 1024 and allows font names and alias targets up to that length in
fonts.alias files.
doListFontsAndAliases copies the resolved alias target into a
stack-allocated tmp_pattern[XLFDMAXFONTNAMELEN] and then into
c->current.pattern[XLFDMAXFONTNAMELEN] (defined in LFWIstateRec).
doListFontsWithInfo has the same pattern, copying the resolved name into
c->current.pattern[]. With the old 256-byte limit, a fonts.alias entry
with a target name between 257 and 1023 bytes would overflow both
buffers.
An attacker can exploit this by:
1. Creating a font directory with a fonts.alias containing an alias
whose target name exceeds 256 bytes
2. Using SetFontPath to add the malicious directory
3. Calling ListFonts with the alias name to trigger alias resolution
4. The oversized resolved name overflows the 256-byte stack buffer
Increase XLFDMAXFONTNAMELEN from 256 to 1024 to match libXfont2's
MAXFONTNAMELEN, ensuring the server can handle any name the font library
produces.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30136
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bb5158f962dc935e58ef8b4b5fcb31be201a6e07)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
dix/dixfonts.c | 8 ++++++++
include/closestr.h | 7 ++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 0ea8678bb..386c38686 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -671,6 +671,10 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
* is BadFontName, indicating the alias resolution
* is complete.
*/
+ if (resolvedlen > XLFDMAXFONTNAMELEN) {
+ err = BadFontName;
+ goto ContBadFontName;
+ }
memmove(tmp_pattern, resolved, resolvedlen);
if (c->haveSaved) {
char *tmpname;
@@ -934,6 +938,10 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c)
memmove(c->savedName, name, namelen + 1);
aliascount = 20;
}
+ if (namelen > XLFDMAXFONTNAMELEN) {
+ err = BadFontName;
+ goto ContBadFontName;
+ }
memmove(c->current.pattern, name, namelen);
c->current.patlen = namelen;
c->current.max_names = 1;
diff --git a/include/closestr.h b/include/closestr.h
index 60e6f09bc..7567ac6ea 100644
--- a/include/closestr.h
+++ b/include/closestr.h
@@ -57,7 +57,12 @@ typedef struct _OFclosure {
/* ListFontsWithInfo */
-#define XLFDMAXFONTNAMELEN 256
+/* libXfont2 allows font names/aliases up to MAXFONTNAMELEN (1024) bytes in
+ * fonts.alias files. The server's pattern buffers must be large enough to
+ * hold resolved alias targets returned by the font library.
+ * ZDI-CAN-30136
+ */
+#define XLFDMAXFONTNAMELEN 1024
typedef struct _LFWIstate {
char pattern[XLFDMAXFONTNAMELEN];
int patlen;
--
2.54.0

50
SOURCES/0007-xfree86-Check-for-RandR-provider-functions.patch
View File

@ -1,50 +0,0 @@
From 8de5a9b2be31d14dcce3795f919b353d62e56897 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 14:59:46 +0200
Subject: [PATCH xserver 7/7] xfree86: Check for RandR provider functions
Changing XRandR provider properties if the driver has set no provider
function such as the modesetting driver will cause a NULL pointer
dereference and a crash of the Xorg server.
Related to CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0235121c6a7a6eb247e2addb3b41ed6ef566853d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
hw/xfree86/modes/xf86RandR12.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index f220ef192..ccb7f629c 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -2133,7 +2133,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
/* If we don't have any property handler, then we don't care what the
* user is setting properties to.
*/
- if (config->provider_funcs->set_property == NULL)
+ if (config->provider_funcs == NULL ||
+ config->provider_funcs->set_property == NULL)
return TRUE;
/*
@@ -2151,7 +2152,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
- if (config->provider_funcs->get_property == NULL)
+ if (config->provider_funcs == NULL ||
+ config->provider_funcs->get_property == NULL)
return TRUE;
/* Should be safe even w/o vtSema */
--
2.49.0

43
SOURCES/0008-Xext-sync-Avoid-dereference-of-invalid-pointer-if-ma.patch
View File

@ -1,43 +0,0 @@
From 010a613e860e2ff47665535cd4821e3b5e03548a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 16:04:50 -0700
Subject: [PATCH xserver 08/51] Xext/sync: Avoid dereference of invalid pointer
if malloc() failed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported incorrectly in #1817 as:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2843:12: danger: priv leaks here; was allocated at [(30)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/29)
but the "leak" is really saving the pointer in an uninitalized pointer in
a structure that was already freed when the malloc of the SysCounterInfo
struct failed in SyncCreateSystemCounter(), because it returned the address
of the freed struct instead of NULL to indicate failure.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6034ce11b6cd31d42df0f5781f70d3073d91f95b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 8fd7e947e..89a1af13b 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -1025,7 +1025,7 @@ SyncCreateSystemCounter(const char *name,
psci = malloc(sizeof(SysCounterInfo));
if (!psci) {
FreeResource(pCounter->sync.id, RT_NONE);
- return pCounter;
+ return NULL;
}
pCounter->pSysCounterInfo = psci;
psci->pCounter = pCounter;
--
2.54.0

109
SOURCES/0008-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch
View File

@ -1,109 +0,0 @@
From 8cb12cc50d0b1592294ad46594731dc088b493f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Wed, 13 May 2026 14:29:26 +0200
Subject: [PATCH xserver 8/9] dri2: Use booleans for (fake) front buffer
tracking in do_get_buffers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works as intended — the (fake) front buffer needs to be added
only if the client didn't request it in the first place — even if the
client requests the same attachment multiple times. This ensures we
never try to access more than (count + 1) entries of the buffers array.
Fixes: ff6c7764c290 ("DRI2: Implement protocol for DRI2GetBuffersWithFormat")
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
hw/xfree86/dri2/dri2.c | 37 ++++++++++++++++++-------------------
1 file changed, 18 insertions(+), 19 deletions(-)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index 6619e3aa7..fdf15d9a1 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -560,9 +560,10 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw);
DRI2ScreenPtr ds;
DRI2BufferPtr *buffers;
- int need_real_front = 0;
- int need_fake_front = 0;
- int have_fake_front = 0;
+ Bool need_real_front = FALSE;
+ Bool have_real_front = FALSE;
+ Bool need_fake_front = FALSE;
+ Bool have_fake_front = FALSE;
int front_format = 0;
int dimensions_match;
int buffers_changed = 0;
@@ -595,34 +596,32 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
if (buffers[i] == NULL)
goto err_out;
- /* If the drawable is a window and the front-buffer is requested,
- * silently add the fake front-buffer to the list of requested
- * attachments. The counting logic in the loop accounts for the case
- * where the client requests both the fake and real front-buffer.
+ /* In certain cases the (fake) front buffer is always needed, so return
+ * it even if the client failed to request it.
+ * The logic in & after the loop accounts for the case where the client
+ * does request the (fake) front buffer, to avoid returning it multiple
+ * times.
*/
if (attachment == DRI2BufferBackLeft) {
- need_real_front++;
+ need_real_front = TRUE;
front_format = format;
}
if (attachment == DRI2BufferFrontLeft) {
- need_real_front--;
+ have_real_front = TRUE;
front_format = format;
- if (pDraw->type == DRAWABLE_WINDOW) {
- need_fake_front++;
- }
+ if (pDraw->type == DRAWABLE_WINDOW)
+ need_fake_front = TRUE;
}
if (pDraw->type == DRAWABLE_WINDOW) {
- if (attachment == DRI2BufferFakeFrontLeft) {
- need_fake_front--;
- have_fake_front = 1;
- }
+ if (attachment == DRI2BufferFakeFrontLeft)
+ have_fake_front = TRUE;
}
}
- if (need_real_front > 0) {
+ if (need_real_front && !have_real_front) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -633,7 +632,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
i++;
}
- if (need_fake_front > 0) {
+ if (need_fake_front && !have_fake_front) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFakeFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -643,7 +642,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
goto err_out;
i++;
- have_fake_front = 1;
+ have_fake_front = TRUE;
}
*out_count = i;
--
2.54.0

45
SOURCES/0009-Xext-vidmode-avoid-null-dereference-if-VidModeCreate.patch
View File

@ -1,45 +0,0 @@
From 0e8e24610bd8135ec0855c8a25b903f012eaad1a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 16:20:37 -0700
Subject: [PATCH xserver 09/51] Xext/vidmode: avoid null dereference if
VidModeCreateMode() allocation fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/vidmode.c:96:5: warning[-Wanalyzer-null-argument]: use of NULL VidModeCreateMode() where non-null expected
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 5e62aaaf57b18136969699fd073e123edfb1aa70)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/vidmode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index 6e4a7c709..2f996e9e9 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -808,6 +808,8 @@ ProcVidModeModModeLine(ClientPtr client)
return BadValue;
modetmp = VidModeCreateMode();
+ if (modetmp == NULL)
+ return BadAlloc;
VidModeCopyMode(mode, modetmp);
VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
@@ -951,6 +953,8 @@ ProcVidModeValidateModeLine(ClientPtr client)
return BadValue;
modetmp = VidModeCreateMode();
+ if (modetmp == NULL)
+ return BadAlloc;
VidModeCopyMode(mode, modetmp);
VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
--
2.54.0

140
SOURCES/0009-dri2-Deduplicate-attachments-in-do_get_buffer.patch
View File

@ -1,140 +0,0 @@
From e674fb65a6662d1951c9d9fba2df429a04b54881 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 15 May 2026 17:47:51 +0200
Subject: [PATCH xserver 9/9] dri2: Deduplicate attachments in do_get_buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It was always the intention of the DRI2 protocol that there's at most
one instance of each attachment, and that's how it was implemented in
Mesa.
Since that wasn't enforced though, there might be other clients in the
wild which (e.g. accidentally) request the same attachment multiple
times. So starting to a raise a protocol error in this case now risks
breaking such clients.
Instead, just deduplicate the attachments using a bit-set.
This has a couple of desirable side effects:
* destroy_buffer cannot be called multiple times for the same
DRI2BufferPtr.
* The client cannot cause the server to allocate a buffers array with
more entries than there are attachments (currently 11).
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 339c279514326134b0878fc23ce6e9520440ce7f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
hw/xfree86/dri2/dri2.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index fdf15d9a1..6b6a2b9ef 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -560,16 +560,16 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw);
DRI2ScreenPtr ds;
DRI2BufferPtr *buffers;
+ unsigned attachments_bitset = 0;
Bool need_real_front = FALSE;
- Bool have_real_front = FALSE;
Bool need_fake_front = FALSE;
- Bool have_fake_front = FALSE;
int front_format = 0;
int dimensions_match;
int buffers_changed = 0;
int i;
- if (!pPriv) {
+ if (!pPriv ||
+ count > DRI2BufferHiz + 1) {
*width = pDraw->width;
*height = pDraw->height;
*out_count = 0;
@@ -581,7 +581,10 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
dimensions_match = (pDraw->width == pPriv->width)
&& (pDraw->height == pPriv->height);
- buffers = calloc((count + 1), sizeof(buffers[0]));
+ /* Since we deduplicate attachments in the buffers array, there cannot be
+ * more entries than there are attachments.
+ */
+ buffers = calloc((min(count, DRI2BufferHiz) + 1), sizeof(buffers[0]));
if (!buffers)
goto err_out;
@@ -589,6 +592,14 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
const unsigned attachment = *(attachments++);
const unsigned format = (has_format) ? *(attachments++) : 0;
+ if (attachment > DRI2BufferHiz)
+ goto err_out;
+
+ if (attachments_bitset & (1u << attachment))
+ continue;
+
+ attachments_bitset |= 1u << attachment;
+
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, attachment,
format, dimensions_match, &buffers[i]))
buffers_changed = 1;
@@ -608,20 +619,15 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
}
if (attachment == DRI2BufferFrontLeft) {
- have_real_front = TRUE;
front_format = format;
if (pDraw->type == DRAWABLE_WINDOW)
need_fake_front = TRUE;
}
-
- if (pDraw->type == DRAWABLE_WINDOW) {
- if (attachment == DRI2BufferFakeFrontLeft)
- have_fake_front = TRUE;
- }
}
- if (need_real_front && !have_real_front) {
+ if (need_real_front &&
+ !(attachments_bitset & (1u << DRI2BufferFrontLeft))) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -632,7 +638,8 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
i++;
}
- if (need_fake_front && !have_fake_front) {
+ if (need_fake_front &&
+ !(attachments_bitset & (1u << DRI2BufferFakeFrontLeft))) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFakeFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -642,7 +649,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
goto err_out;
i++;
- have_fake_front = TRUE;
+ attachments_bitset |= 1u << DRI2BufferFakeFrontLeft;
}
*out_count = i;
@@ -654,7 +661,8 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
* contents of the real front-buffer. This ensures correct operation of
* applications that call glXWaitX before calling glDrawBuffer.
*/
- if (have_fake_front && buffers_changed) {
+ if (buffers_changed &&
+ (attachments_bitset & (1u << DRI2BufferFakeFrontLeft))) {
BoxRec box;
RegionRec region;
--
2.54.0

38
SOURCES/0010-Xext-xres-avoid-null-dereference-in-ProcXResQueryCli.patch
View File

@ -1,38 +0,0 @@
From ae00a059dcfdc8c1de23f8e9310bd140679aba09 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:10:20 -0700
Subject: [PATCH xserver 10/51] Xext/xres: avoid null dereference in
ProcXResQueryClients()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:233:13: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL current_clients
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:228:23: acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 3da60c96a9c3ea26404313eb490e46847b04949c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xres.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xext/xres.c b/Xext/xres.c
index 7a7aabc9b..4ef8aa04f 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -224,6 +224,8 @@ ProcXResQueryClients(ClientPtr client)
REQUEST_SIZE_MATCH(xXResQueryClientsReq);
current_clients = xallocarray(currentMaxClients, sizeof(int));
+ if (current_clients == NULL)
+ return BadAlloc;
num_clients = 0;
for (i = 0; i < currentMaxClients; i++) {
--
2.54.0

38
SOURCES/0011-Xext-xselinux-add-fast-path-to-ProcSELinuxListSelect.patch
View File

@ -1,38 +0,0 @@
From 63511dd097c5ff8e57f34c4f8b0af8e441c0ac3c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:19:05 -0700
Subject: [PATCH xserver 11/51] Xext/xselinux: add fast path to
ProcSELinuxListSelections()
If there's nothing to send, skip over a bunch of code to make a list
that won't be used, and hopefully make the code path clearer to both
humans and static analyzers, who raise errors as seen in #1817 of
dereferencing NULL pointers when count == 0.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d34243606c8d7a01108827ad1ca3216bf81a119d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xselinux_ext.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c
index 1395a563b..9784dca4e 100644
--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@@ -452,8 +452,10 @@ ProcSELinuxListSelections(ClientPtr client)
count = 0;
for (pSel = CurrentSelections; pSel; pSel = pSel->next)
count++;
+ if (count == 0)
+ return SELinuxSendItemsToClient(client, NULL, 0, 0);
items = calloc(count, sizeof(SELinuxListItemRec));
- if (count && !items)
+ if (!items)
return BadAlloc;
/* Fill in the items and calculate size */
--
2.54.0

51
SOURCES/0012-Xext-xselinux-avoid-memory-leak-in-SELinuxAtomToSID.patch
View File

@ -1,51 +0,0 @@
From 50aa84b64bb9c38b4b67a00221ca6ae5e00808cc Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:26:47 -0700
Subject: [PATCH xserver 12/51] Xext/xselinux: avoid memory leak in
SELinuxAtomToSID()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: warning[-Wanalyzer-malloc-leak]: leak of rec
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:133:1: enter_function: entry to SELinuxAtomToSID
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:141:15: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:69:12: branch_true: following true branch...
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: danger: rec leaks here; was allocated at [(2)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/1)
# 140| if (!rec) {
# 141| rec = calloc(1, sizeof(SELinuxAtomRec));
# 142|-> if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec))
# 143| return BadAlloc;
# 144| }
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 21cbc56c43af04a72ee2d77023194f436027eb4d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xselinux_label.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Xext/xselinux_label.c b/Xext/xselinux_label.c
index 8559385b9..774f1d9cc 100644
--- a/Xext/xselinux_label.c
+++ b/Xext/xselinux_label.c
@@ -138,8 +138,12 @@ SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec ** obj_rtn)
rec = SELinuxArrayGet(&arr_atoms, atom);
if (!rec) {
rec = calloc(1, sizeof(SELinuxAtomRec));
- if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec))
+ if (!rec)
return BadAlloc;
+ if (!SELinuxArraySet(&arr_atoms, atom, rec)) {
+ free(rec);
+ return BadAlloc;
+ }
}
if (prop) {
--
2.54.0

54
SOURCES/0013-Xext-xtest-avoid-null-dereference-in-ProcXTestFakeIn.patch
View File

@ -1,54 +0,0 @@
From 3612d6af9cb75895137e89302b633e730171a4d6 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:38:32 -0700
Subject: [PATCH xserver 13/51] Xext/xtest: avoid null dereference in
ProcXTestFakeInput()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext
/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:440:9: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:440:9: danger: dereference of NULL dev
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 04ef51dae63dc9ef3d28f7d0b78b4504dbb01f66)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xtest.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xext/xtest.c b/Xext/xtest.c
index 3b66224be..fe3a868a4 100644
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
@@ -318,6 +318,10 @@ ProcXTestFakeInput(ClientPtr client)
return BadAccess;
dev = GetXTestDevice(dev);
+
+ /* This can only happen if we passed a slave to GetXTestDevice() */
+ if (!dev)
+ return BadAccess;
}
--
2.54.0

91
SOURCES/0014-Xi-avoid-null-dereference-if-wOtherInputMasks-return.patch
View File

@ -1,91 +0,0 @@
From 826550e2cfd8a033c4a16dffdd852f2115e7331f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 15:38:35 -0700
Subject: [PATCH xserver 14/51] Xi: avoid null dereference if
wOtherInputMasks() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1390:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1404:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:2293:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3244:22:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3338:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7b7bcf92311db87a0292474dcf2ed9767f4a9abd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/exevents.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 1930089d3..7249f492c 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -1331,6 +1331,7 @@ RetrieveTouchDeliveryData(DeviceIntPtr dev, TouchPointInfoPtr ti,
else
evtype = GetXI2Type(ev->any.type);
+ BUG_RETURN_VAL(!wOtherInputMasks(*win), FALSE);
nt_list_for_each_entry(iclients,
wOtherInputMasks(*win)->inputClients, next)
if (xi2mask_isset(iclients->xi2mask, dev, evtype))
@@ -1345,6 +1346,7 @@ RetrieveTouchDeliveryData(DeviceIntPtr dev, TouchPointInfoPtr ti,
int xi_type = GetXIType(TouchGetPointerEventType(ev));
Mask xi_filter = event_get_filter_from_type(dev, xi_type);
+ BUG_RETURN_VAL(!wOtherInputMasks(*win), FALSE);
nt_list_for_each_entry(iclients,
wOtherInputMasks(*win)->inputClients, next)
if (iclients->mask[dev->id] & xi_filter)
@@ -2974,13 +2976,18 @@ DeviceEventSuppressForWindow(WindowPtr pWin, ClientPtr client, Mask mask,
inputMasks->dontPropagateMask[maskndx] = mask;
}
else {
- if (!inputMasks)
- AddExtensionClient(pWin, client, 0, 0);
- inputMasks = wOtherInputMasks(pWin);
+ if (!inputMasks) {
+ int ret = AddExtensionClient(pWin, client, 0, 0);
+
+ if (ret != Success)
+ return ret;
+ inputMasks = wOtherInputMasks(pWin);
+ BUG_RETURN_VAL(!inputMasks, BadAlloc);
+ }
inputMasks->dontPropagateMask[maskndx] = mask;
}
RecalculateDeviceDeliverableEvents(pWin);
- if (ShouldFreeInputMasks(pWin, FALSE))
+ if (inputMasks && ShouldFreeInputMasks(pWin, FALSE))
FreeResource(inputMasks->inputClients->resource, RT_NONE);
return Success;
}
@@ -3075,6 +3082,7 @@ XISetEventMask(DeviceIntPtr dev, WindowPtr win, ClientPtr client,
if (len && !others) {
if (AddExtensionClient(win, client, 0, 0) != Success)
return BadAlloc;
+ BUG_RETURN_VAL(!wOtherInputMasks(win), BadAlloc);
others = wOtherInputMasks(win)->inputClients;
}
--
2.54.0

43
SOURCES/0015-Xi-set-value-for-led_values-in-CopySwapKbdFeedback.patch
View File

@ -1,43 +0,0 @@
From 5eeb67f1d806c25ef31d2110b21644a59de83815 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:12:29 -0700
Subject: [PATCH xserver 15/51] Xi: set value for led_values in
CopySwapKbdFeedback()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(The existing setting of led_mask is probably wrong, but has been set
like this since X11R5 and going back as far as the first version in
the X Consortium source control archives.)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getfctl.c:108:9:
warning[-Wanalyzer-use-of-uninitialized-value]:
use of uninitialized value *k2.led_values
108|-> swapl(&k2->led_values);
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 90c8429d3509894f8834ead3b15f2e76657e57a6)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/getfctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xi/getfctl.c b/Xi/getfctl.c
index eea0113c1..61f14c5ea 100644
--- a/Xi/getfctl.c
+++ b/Xi/getfctl.c
@@ -97,6 +97,7 @@ CopySwapKbdFeedback(ClientPtr client, KbdFeedbackPtr k, char **buf)
k2->pitch = k->ctrl.bell_pitch;
k2->duration = k->ctrl.bell_duration;
k2->led_mask = k->ctrl.leds;
+ k2->led_values = k->ctrl.leds;
k2->global_auto_repeat = k->ctrl.autoRepeat;
for (i = 0; i < 32; i++)
k2->auto_repeats[i] = k->ctrl.autoRepeats[i];
--
2.54.0

41
SOURCES/0016-Xi-handle-allocation-failure-in-ProcXGetDeviceDontPr.patch
View File

@ -1,41 +0,0 @@
From f9d3537883522255d5fa91ea8b63c745286232ee Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:32:45 -0700
Subject: [PATCH xserver 16/51] Xi: handle allocation failure in
ProcXGetDeviceDontPropagateList()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:163:25:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL buf
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:121:19:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7b18313e2a9d0409ac7465d2f313153013fdf5a3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/getprop.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xi/getprop.c b/Xi/getprop.c
index b744f35cb..b53db7306 100644
--- a/Xi/getprop.c
+++ b/Xi/getprop.c
@@ -119,6 +119,8 @@ ProcXGetDeviceDontPropagateList(ClientPtr client)
if (count) {
rep.count = count;
buf = xallocarray(rep.count, sizeof(XEventClass));
+ if (buf == NULL)
+ return BadAlloc;
rep.length = bytes_to_int32(rep.count * sizeof(XEventClass));
tbuf = buf;
--
2.54.0

43
SOURCES/0017-Xi-handle-allocation-failure-in-ProcXListInputDevice.patch
View File

@ -1,43 +0,0 @@
From 4c5a0e203feaae43134264bb3a999453d6f09a2c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:37:48 -0700
Subject: [PATCH xserver 17/51] Xi: handle allocation failure in
ProcXListInputDevices()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:171:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL dev
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:379:23:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 19c6195e711d9f9fabbde1bea7a6393c4a4c3cd3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/listdev.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xi/listdev.c b/Xi/listdev.c
index c15e61b37..5b860e92c 100644
--- a/Xi/listdev.c
+++ b/Xi/listdev.c
@@ -377,6 +377,10 @@ ProcXListInputDevices(ClientPtr client)
/* allocate space for reply */
total_length = numdevs * sizeof(xDeviceInfo) + size + namesize;
devbuf = (char *) calloc(1, total_length);
+ if (!devbuf) {
+ free(skip);
+ return BadAlloc;
+ }
classbuf = devbuf + (numdevs * sizeof(xDeviceInfo));
namebuf = classbuf + size;
savbuf = devbuf;
--
2.54.0

39
SOURCES/0018-Xi-handle-allocation-failure-in-add_master_func.patch
View File

@ -1,39 +0,0 @@
From d3db315eb5fff0933c16e772081754ee02b48938 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:52:39 -0700
Subject: [PATCH xserver 18/51] Xi: handle allocation failure in
add_master_func()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/xibarriers.c:729:5:
warning[-Wanalyzer-null-dereference]:
dereference of NULL AllocBarrierDevice()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0ee603905387e00a2e3d83ead1de99ca61d641fb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/xibarriers.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index cb336f22b..ad82852fe 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -726,6 +726,8 @@ static void add_master_func(void *res, XID id, void *devid)
pbd = AllocBarrierDevice();
+ if (!pbd)
+ return;
pbd->deviceid = *deviceid;
input_lock();
--
2.54.0

39
SOURCES/0019-dix-handle-allocation-failure-in-DeviceFocusEvent.patch
View File

@ -1,39 +0,0 @@
From 4f68278ca74892098c6600adc3e6d8901682793e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 12:59:04 -0700
Subject: [PATCH xserver 19/51] dix: handle allocation failure in
DeviceFocusEvent()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/enterleave.c:786:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL xi2event
Fixes: 3f37923a7 ("Xi: send XI2 focus events." in Xorg 1.10.0)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit dedceb52bcbba2431368b53acbbba490ac8ee485)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/enterleave.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 78a7dab39..df3ffd224 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -774,6 +774,7 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
len = sizeof(xXIFocusInEvent) + btlen * 4;
xi2event = calloc(1, len);
+ BUG_RETURN(xi2event == NULL);
xi2event->type = GenericEvent;
xi2event->extension = IReqCode;
xi2event->evtype = type;
--
2.54.0

54
SOURCES/0020-dix-avoid-null-dereference-if-wOtherInputMasks-retur.patch
View File

@ -1,54 +0,0 @@
From 69599f57afd64ff1289dbbd29e5e108435b7ffc2 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 16:16:12 -0700
Subject: [PATCH xserver 20/51] dix: avoid null dereference if
wOtherInputMasks() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/gestures.c:242:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:765:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:782:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 15496a5e3d5407a2b480d8c726b012455f7898bb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/touch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/touch.c b/dix/touch.c
index 37902bd05..5c5c21303 100644
--- a/dix/touch.c
+++ b/dix/touch.c
@@ -797,6 +797,8 @@ TouchAddRegularListener(DeviceIntPtr dev, TouchPointInfoPtr ti,
inputMasks = wOtherInputMasks(win);
if (mask & EVENT_XI2_MASK) {
+ BUG_RETURN_VAL(!inputMasks, FALSE);
+
nt_list_for_each_entry(iclients, inputMasks->inputClients, next) {
if (!xi2mask_isset(iclients->xi2mask, dev, evtype))
continue;
@@ -814,6 +816,8 @@ TouchAddRegularListener(DeviceIntPtr dev, TouchPointInfoPtr ti,
int xitype = GetXIType(TouchGetPointerEventType(ev));
Mask xi_filter = event_get_filter_from_type(dev, xitype);
+ BUG_RETURN_VAL(!inputMasks, FALSE);
+
nt_list_for_each_entry(iclients, inputMasks->inputClients, next) {
if (!(iclients->mask[dev->id] & xi_filter))
continue;
--
2.54.0

62
SOURCES/0021-dix-assert-that-size-of-buffers-to-swap-is-a-multipl.patch
View File

@ -1,62 +0,0 @@
From 98988e606948fb88290fe51ab8aed599c2dc7b42 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 18:26:55 -0700
Subject: [PATCH xserver 21/51] dix: assert that size of buffers to swap is a
multiple of the swap size
If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit cf49354b6060b71ae41febe67327278fbcb7c74a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/swaprep.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dix/swaprep.c b/dix/swaprep.c
index 08344d7f7..04279e5f4 100644
--- a/dix/swaprep.c
+++ b/dix/swaprep.c
@@ -48,6 +48,8 @@ SOFTWARE.
#include <dix-config.h>
#endif
+#include <assert.h>
+
#include <X11/X.h>
#include <X11/Xproto.h>
#include "misc.h"
@@ -95,6 +97,8 @@ CopySwap32Write(ClientPtr pClient, int size, CARD32 *pbuf)
CARD32 *from, *to, *fromLast, *toLast;
CARD32 tmpbuf[1];
+ assert((bufsize % sizeof(CARD32)) == 0);
+
/* Allocate as big a buffer as we can... */
while (!(pbufT = malloc(bufsize))) {
bufsize >>= 1;
@@ -142,6 +146,8 @@ CopySwap16Write(ClientPtr pClient, int size, short *pbuf)
short *from, *to, *fromLast, *toLast;
short tmpbuf[2];
+ assert((bufsize % sizeof(short)) == 0);
+
/* Allocate as big a buffer as we can... */
while (!(pbufT = malloc(bufsize))) {
bufsize >>= 1;
--
2.54.0

42
SOURCES/0022-dix-handle-allocation-failure-in-ChangeWindowDeviceC.patch
View File

@ -1,42 +0,0 @@
From 28c7d5470a1d4241594d2629952427767e3b88ce Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 12 Oct 2025 09:48:15 -0700
Subject: [PATCH xserver 22/51] dix: handle allocation failure in
ChangeWindowDeviceCursor()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/window.c:3495:9:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL pNewNode
xwayland-24.1.6/redhat-linux-build/../dix/window.c:3494:20:
acquire_memory: this call could return NULL
Fixes: 95e1a8805 ("Xi: Adding ChangeDeviceCursor request" in xorg 1.10.0)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c9fa8a8da161e1c37058a342ba5495ce627d0985)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/window.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dix/window.c b/dix/window.c
index 8789a5ece..219e8c470 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -3510,6 +3510,8 @@ ChangeWindowDeviceCursor(WindowPtr pWin, DeviceIntPtr pDev, CursorPtr pCursor)
return Success;
pNewNode = malloc(sizeof(DevCursNodeRec));
+ if (!pNewNode)
+ return BadAlloc;
pNewNode->dev = pDev;
pNewNode->next = pWin->optional->deviceCursors;
pWin->optional->deviceCursors = pNewNode;
--
2.54.0

42
SOURCES/0023-xfree86-Fix-builds-with-gcc-Wpedantic.patch
View File

@ -1,42 +0,0 @@
From 6fda4afcb9f5ebcaa7ebb91a4e55a19c4a64cf4d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Aug 2025 11:20:01 -0700
Subject: [PATCH xserver 23/51] xfree86: Fix builds with gcc -Wpedantic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
../hw/xfree86/loader/loadmod.c:85:33: warning: ISO C forbids empty
initializer braces before C23 [-Wpedantic]
85 | static int ModuleDuplicated[] = { };
| ^
../hw/xfree86/loader/loadmod.c:85:12: error: zero or negative size array
ModuleDuplicated
85 | static int ModuleDuplicated[] = { };
| ^~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d03c84b57f1455b20518781026777b938194b2a4)
(cherry picked from commit 3e0f37c95c92829e338a910379440ba9b4f4170d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/loader/loadmod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index 342c7b800..6f7c6d93c 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -82,7 +82,7 @@ const ModuleVersions LoaderVersionInfo = {
ABI_EXTENSION_VERSION,
};
-static int ModuleDuplicated[] = { };
+static int ModuleDuplicated[] = { 0 };
static void
FreeStringList(char **paths)
--
2.54.0

52
SOURCES/0024-dix-set-errorValue-correctly-when-XID-lookup-fails-i.patch
View File

@ -1,52 +0,0 @@
From 82a58016e202f10e87b2d629f6ae3a6bcfca80cb Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 7 Dec 2025 15:57:53 -0800
Subject: [PATCH xserver 24/51] dix: set errorValue correctly when XID lookup
fails in ChangeGCXIDs()
dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.
Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ac42c39145849588544ad10812e5a8ae76bf1114)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
dix/gc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/dix/gc.c b/dix/gc.c
index 4ccbd3b54..717998cfd 100644
--- a/dix/gc.c
+++ b/dix/gc.c
@@ -441,6 +441,7 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
vals[i].val = pC32[i];
for (i = 0; i < ARRAY_SIZE(xidfields); ++i) {
int offset, rc;
+ XID id;
if (!(mask & xidfields[i].mask))
continue;
@@ -449,11 +450,13 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
vals[offset].ptr = NullPixmap;
continue;
}
- rc = dixLookupResourceByType(&vals[offset].ptr, vals[offset].val,
+ /* save the id, since dixLookupResourceByType overwrites &vals[offset] */
+ id = vals[offset].val;
+ rc = dixLookupResourceByType(&vals[offset].ptr, id,
xidfields[i].type, client,
xidfields[i].access_mode);
if (rc != Success) {
- client->errorValue = vals[offset].val;
+ client->errorValue = id;
return rc;
}
}
--
2.54.0

40
SOURCES/0025-os-avoid-closing-null-fd-at-Fopen.patch
View File

@ -1,40 +0,0 @@
From 1542f1bb8de1d4ccd32047a15740c8dd1002502b Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 17 Dec 2025 11:52:16 +0300
Subject: [PATCH xserver 25/51] os: avoid closing null fd at Fopen
In `Fopen` function variable `iop` may store NULL as a result of `fopen`
call. In this case, if later privileges couldn't be restored (`seteuid`
call fails), further `fclose(iop)` call will cause runtime error.
This commit adds check `iop` for NULL before calling `fclose` to prevent
potential NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit f83807647e171def9244a7f1d8d9af8e8e79f847)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
os/utils.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/os/utils.c b/os/utils.c
index 2ba1c8013..0a9f36fcd 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -1589,7 +1589,9 @@ Fopen(const char *file, const char *type)
iop = fopen(file, type);
if (seteuid(euid) == -1) {
- fclose(iop);
+ if (iop) {
+ fclose(iop);
+ }
return NULL;
}
return iop;
--
2.54.0

50
SOURCES/0026-render-fix-multiple-mem-leaks-on-err-paths.patch
View File

@ -1,50 +0,0 @@
From 7ad37a32bc5ad5d385bfd65755d58f10f1c10013 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Thu, 5 Feb 2026 16:07:43 +0300
Subject: [PATCH xserver 26/51] render: fix multiple mem leaks on err paths
Free nested allocations when initialization fails.
Several code paths returned early on error without releasing
memory owned by embedded structures, leading to leaks.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 809402414e4b84ad5c084221c7b4da9bd2c5d55d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
render/picture.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/render/picture.c b/render/picture.c
index a53f3b560..f6729eaef 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -911,6 +911,7 @@ CreateLinearGradientPicture(Picture pid, xPointFixed * p1, xPointFixed * p2,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
@@ -956,6 +957,7 @@ CreateRadialGradientPicture(Picture pid, xPointFixed * inner,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
@@ -994,6 +996,7 @@ CreateConicalGradientPicture(Picture pid, xPointFixed * center, xFixed angle,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
--
2.54.0

52
SOURCES/0027-dix-avoid-null-ptr-deref-at-doListFontsAndAliases.patch
View File

@ -1,52 +0,0 @@
From d977ac58df2837014b4b1745113d03937cf6bf2f Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 17 Dec 2025 11:15:27 +0300
Subject: [PATCH xserver 27/51] dix: avoid null ptr deref at
doListFontsAndAliases
In the `doListFontsAndAliases` function in dixfonts.c, when a font alias
is encountered (`err == FontNameAlias`) as a result of
`list_next_font_or_alias` call, the code allocates memory for
`resolved` variable (`resolvedlen + 1` bytes) for storing target font
name. In this case, if the `malloc(resolvedlen + 1)` call fails,
`resolved` remains NULL.
Later, when check (`else if (err == FontNameAlias)`) is TRUE, the code
uses `memcpy` to copy nullable `resolved` into `tmp_pattern` without
checking if `resolved` is NULL, so there is a potential null ptr
dereference.
This commit replaces `malloc` with `XNFalloc` for allocating memory for
`resolved`. `XNFalloc` will internally check result of `malloc` and stop
program execution if allocation was failed, preventing potential NULL
dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 0237462d326c78868c83b6eda35a9d35725f3b33)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
dix/dixfonts.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index b079dcf67..553f4d7d4 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -639,9 +639,8 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
}
if (err == FontNameAlias) {
free(resolved);
- resolved = malloc(resolvedlen + 1);
- if (resolved)
- memmove(resolved, tmpname, resolvedlen + 1);
+ resolved = XNFalloc(resolvedlen + 1);
+ memcpy(resolved, tmpname, resolvedlen + 1);
}
}
--
2.54.0

59
SOURCES/0028-randr-clear-primary-screen-s-primaryOutput-when-the-.patch
View File

@ -1,59 +0,0 @@
From 361a7e40f294e471d4b2f9bfb7a250fb84d8564b Mon Sep 17 00:00:00 2001
From: hongao <hongao@uniontech.com>
Date: Wed, 15 May 2024 14:35:23 +0800
Subject: [PATCH xserver 28/51] randr: clear primary screen's primaryOutput
when the output is deleted
This fix use after free when a pluggable gpu screen (such as displaylink)
was set as primary screen and unpluged.
gdb backtrace:
#0 OssigHandler (signo=11, sip=0x7fff2e0a50f0, unused=0x7fff2e0a4fc0) at ../../../../os/osinit.c:138
#1 <signal handler called>
#2 rrGetscreenResources (client=0x3195160, query=0) at ../../../../randr/rrscreen.c:577
#3 0x0000000000562bae in ProcRRGetscreenResourcesCurrent (client=0x3195160) at ../../../../randr/rrscreen.c:652
#4 OxOOOOB0000054de63 in ProcRRDispatch (client=0x3195160) at ../../../../randr/randr.c:717
#5 0x00000000004322c6 in Dispatch () at ../../../../dix/dispatch.c:485
#6 0x0900900990443139 in dix_main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/main.c:276
#7 0X0000000000421d9a in main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/stubmain.c:34
Signed-off-by: hongao <hongao@uniontech.com>
(cherry picked from commit 1443fd34ea37e8c7cedfac446e4a34205c5fbbb0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
randr/rroutput.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/randr/rroutput.c b/randr/rroutput.c
index e52ad7671..d98446ab1 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -374,6 +374,8 @@ RROutputDestroyResource(void *value, XID pid)
{
RROutputPtr output = (RROutputPtr) value;
ScreenPtr pScreen = output->pScreen;
+ ScreenPtr primary;
+ rrScrPrivPtr primarysp;
int m;
if (pScreen) {
@@ -394,6 +396,15 @@ RROutputDestroyResource(void *value, XID pid)
if (pScrPriv->primaryOutput == output)
pScrPriv->primaryOutput = NULL;
+ if (pScreen->isGPU) {
+ primary = pScreen->current_master;
+ if (primary) {
+ primarysp = rrGetScrPriv(primary);
+ if (primarysp->primaryOutput == output)
+ primarysp->primaryOutput = NULL;
+ }
+ }
+
for (i = 0; i < pScrPriv->numOutputs; i++) {
if (pScrPriv->outputs[i] == output) {
memmove(pScrPriv->outputs + i, pScrPriv->outputs + i + 1,
--
2.54.0

31
SOURCES/0029-Make-xf86CompatOutput-return-NULL-when-there-are-no-.patch
View File

@ -1,31 +0,0 @@
From 8b532c093256aea097867ec12afab459076f28a3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun, 31 Oct 2021 11:28:28 +0100
Subject: [PATCH xserver 29/51] Make xf86CompatOutput() return NULL when there
are no privates
Some drivers (mach64 w/o DRI for instance) don't initialize privates.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
(cherry picked from commit 80eeff3ebac772e25c9107199989e677457dbe06)
---
hw/xfree86/modes/xf86Crtc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 1d1124a1b..2ab16322b 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -839,6 +839,9 @@ xf86CompatOutput(ScrnInfoPtr pScrn)
{
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ if (xf86CrtcConfigPrivateIndex == -1)
+ return NULL;
+
if (config->compat_output < 0)
return NULL;
return config->output[config->compat_output];
--
2.54.0

37
SOURCES/0030-Better-fix-for-xf86CompatOut-when-there-are-no-priva.patch
View File

@ -1,37 +0,0 @@
From c739165b8d2782ea9059494c482aa1854dfb74f3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Sun, 5 Dec 2021 21:59:12 +0100
Subject: [PATCH xserver 30/51] Better fix for xf86CompatOut() when there are
no privates
XF86_CRTC_CONFIG_PTR() will derefence privates[-1] in this case.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 75d70612888f18339703315549db781a22c0cb23)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/modes/xf86Crtc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 2ab16322b..2b0fb687c 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -837,11 +837,11 @@ extern _X_EXPORT int xf86CrtcConfigPrivateIndex;
static _X_INLINE xf86OutputPtr
xf86CompatOutput(ScrnInfoPtr pScrn)
{
- xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ xf86CrtcConfigPtr config;
if (xf86CrtcConfigPrivateIndex == -1)
return NULL;
-
+ config = XF86_CRTC_CONFIG_PTR(pScrn);
if (config->compat_output < 0)
return NULL;
return config->output[config->compat_output];
--
2.54.0

35
SOURCES/0031-xf86-check-return-value-of-XF86_CRTC_CONFIG_PTR-in-x.patch
View File

@ -1,35 +0,0 @@
From 33ce204fd96b7f46f97da73f3144eca384584513 Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Mon, 27 Dec 2021 14:53:22 +0100
Subject: [PATCH xserver 31/51] xf86: check return value of
XF86_CRTC_CONFIG_PTR in xf86CompatOutput()
If privates[xf86CrtcConfigPrivateIndex].ptr is NULL, this will cause
a segfault.
Possible fix for !1241
Signed-off-by: Benjamin Valentin <benjamin.valentin@ml-pa.com>
(cherry picked from commit 907c501926775fdbc9a8bfcfd3d64ac3d5502775)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/modes/xf86Crtc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 2b0fb687c..d8cba59fd 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -842,7 +842,7 @@ xf86CompatOutput(ScrnInfoPtr pScrn)
if (xf86CrtcConfigPrivateIndex == -1)
return NULL;
config = XF86_CRTC_CONFIG_PTR(pScrn);
- if (config->compat_output < 0)
+ if ((config == NULL) || (config->compat_output < 0))
return NULL;
return config->output[config->compat_output];
}
--
2.54.0

48
SOURCES/0032-os-include-assert.h-in-ospoll.c.patch
View File

@ -1,48 +0,0 @@
From 4df75d6f5a98cdefc52d459ad9f6fce3ba5f642b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 14 Mar 2026 17:06:28 -0700
Subject: [PATCH xserver 32/51] os: include <assert.h> in ospoll.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes build failure in mingw-cross-build:
../os/ospoll.c: In function ospoll_destroy:
../os/ospoll.c:266:9: error: implicit declaration of function assert
[-Werror=implicit-function-declaration]
266 | assert (ospoll->num == 0);
| ^~~~~~
../os/ospoll.c:59:1: note: assert is defined in header <assert.h>;
did you forget to #include <assert.h>?
58 | #include "xserver_poll.h"
+++ |+#include <assert.h>
59 | #define POLL 1
../os/ospoll.c:266:9: warning: nested extern declaration of assert
[-Wnested-externs]
266 | assert (ospoll->num == 0);
| ^~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7f8570bfa16bd41e4536385b46742cc316546529)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
os/ospoll.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/os/ospoll.c b/os/ospoll.c
index c68aabc87..387ead4e0 100644
--- a/os/ospoll.c
+++ b/os/ospoll.c
@@ -26,6 +26,7 @@
#include <X11/X.h>
#include <X11/Xproto.h>
+#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
#include "misc.h" /* for typedef of pointer */
--
2.54.0

49
SOURCES/0033-os-make-FormatInt64-handle-LONG_MIN-correctly.patch
View File

@ -1,49 +0,0 @@
From 77d1f03ec166c3c4e12b05dd51aa0ad41d18694c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 19 Dec 2025 17:10:43 -0800
Subject: [PATCH xserver 33/51] os: make FormatInt64() handle LONG_MIN
correctly
When compiling with gcc 15.2.0 using -O3 -m64 on Solaris SPARC & x64,
we'd get a test failure of:
Assertion failed: strcmp(logmsg, expected) == 0,
file ../test/signal-logging.c, line 339, function logging_format
because 'num *= 1' produced a value that was out of the range of the
int64_t it was being stored in. (Compiling with -O2 worked fine with
the same compiler/configuration/platform though.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7f68b588657ea14050971efa86682e55e2c7e21b)
(cherry picked from commit 3eac9393d734a1aa8342179f98e30569da70db95)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
os/utils.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/os/utils.c b/os/utils.c
index 0a9f36fcd..7130c27aa 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -2084,12 +2084,14 @@ xstrtokenize(const char *str, const char *separators)
void
FormatInt64(int64_t num, char *string)
{
+ uint64_t unum = num;
+
if (num < 0) {
string[0] = '-';
- num *= -1;
+ unum = num * -1;
string++;
}
- FormatUInt64(num, string);
+ FormatUInt64(unum, string);
}
/* Format a number into a string in a signal safe manner. The string should be
--
2.54.0

31
SOURCES/0034-os-use-close-on-exec-for-X-server-socket-to-prevent-.patch
View File

@ -1,31 +0,0 @@
From aa5e76a3983061b9471334b3619d207b41d91d13 Mon Sep 17 00:00:00 2001
From: Twaik Yont <9674930+twaik@users.noreply.github.com>
Date: Thu, 10 Apr 2025 17:55:58 +0300
Subject: [PATCH xserver 34/51] os: use close-on-exec for X server socket to
prevent fd leaks
In most typical Linux X servers (like Xvfb, Xephyr, or Xwayland), no child process outlives the server, so this issue rarely arises. However, in embedded X servers (based on Xvfb or Kdrive) or in custom Xorg modules, the server might launch a long-running command with regular fork+exec calls. If the X server crashes or exits while that command is still running (for example, it spawns a tombstone generator or any process that hangs or turns to zombie), the file descriptor associated with the abstract socket can remain open in the child process. This leads to the kernel refusing to allow another X server to bind the same socket until the child process terminates (because there is no explicit way to unlink abstract socket, unlike Unix socket). By marking the file descriptor as close-on-exec, we ensure it is automatically closed in child processes, preserving the ability of a new X server process to bind the socket immediately.
Signed-off-by: Twaik Yont <9674930+twaik@users.noreply.github.com>
(cherry picked from commit 5568b0f83f388a295f42d49411ced17387043794)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
os/connection.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/os/connection.c b/os/connection.c
index 32d2cda2a..406f8763e 100644
--- a/os/connection.c
+++ b/os/connection.c
@@ -283,6 +283,7 @@ CreateWellKnownSockets(void)
int fd = _XSERVTransGetConnectionNumber(ListenTransConns[i]);
ListenTransFds[i] = fd;
+ _XSERVTransSetOption(ListenTransConns[i], TRANS_CLOSEONEXEC, 0);
SetNotifyFd(fd, QueueNewConnections, X_NOTIFY_READ, NULL);
if (!_XSERVTransIsLocal(ListenTransConns[i]))
--
2.54.0

45
SOURCES/0035-xf86bigfont-fix-Wimplicit-function-declaration-error.patch
View File

@ -1,45 +0,0 @@
From 438c50a04248e7dcbd1f500bd5787034157b82c7 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Aug 2025 09:43:33 -0700
Subject: [PATCH xserver 35/51] xf86bigfont: fix
-Wimplicit-function-declaration error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Build breaks with gcc 14 & later when xf86bigfont is enabled:
../Xext/xf86bigfont.c: In function XFree86BigfontExtensionInit:
../Xext/xf86bigfont.c:709:28: error: implicit declaration of function
xfont2_allocate_font_private_index;
did you mean AllocateFontPrivateIndex? [-Wimplicit-function-declaration]
709 | FontShmdescIndex = xfont2_allocate_font_private_index();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| AllocateFontPrivateIndex
Fixes: 05a793f5b ("dix: Switch to the libXfont2 API (v2)")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0617f6075b6a867c90912ccaf9de2200d06a5419)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
Xext/xf86bigfont.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Xext/xf86bigfont.c b/Xext/xf86bigfont.c
index 529595bb7..13f7fbf10 100644
--- a/Xext/xf86bigfont.c
+++ b/Xext/xf86bigfont.c
@@ -58,6 +58,9 @@
#include <X11/X.h>
#include <X11/Xproto.h>
+#include <X11/fonts/fontstruct.h>
+#include <X11/fonts/libxfont2.h>
+
#include "misc.h"
#include "os.h"
#include "dixstruct.h"
--
2.54.0

88
SOURCES/0036-glamor-handle-potential-NULL-return-from-GetPictureS.patch
View File

@ -1,88 +0,0 @@
From 5a2199f57a361100edbab68d2feee192c51fc682 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 25 Oct 2025 15:33:40 -0700
Subject: [PATCH xserver 36/51] glamor: handle potential NULL return from
GetPictureScreenIfSet()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unlike GetPictureScreen(), GetPictureScreenIfSet() checks if the
private key is registered, and returns NULL if it is not.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor.c:926:5:
warning[-Wanalyzer-null-dereference]: dereference of NULL ps
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 69b48423bd66f04bac8a633004ebc8e6e691756f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor.c | 38 +++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 17 deletions(-)
diff --git a/glamor/glamor.c b/glamor/glamor.c
index abefef614..236c45d6d 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -711,23 +711,25 @@ glamor_init(ScreenPtr screen, unsigned int flags)
glamor_priv->saved_procs.bitmap_to_region = screen->BitmapToRegion;
screen->BitmapToRegion = glamor_bitmap_to_region;
- glamor_priv->saved_procs.composite = ps->Composite;
- ps->Composite = glamor_composite;
+ if (ps) {
+ glamor_priv->saved_procs.composite = ps->Composite;
+ ps->Composite = glamor_composite;
- glamor_priv->saved_procs.trapezoids = ps->Trapezoids;
- ps->Trapezoids = glamor_trapezoids;
+ glamor_priv->saved_procs.trapezoids = ps->Trapezoids;
+ ps->Trapezoids = glamor_trapezoids;
- glamor_priv->saved_procs.triangles = ps->Triangles;
- ps->Triangles = glamor_triangles;
+ glamor_priv->saved_procs.triangles = ps->Triangles;
+ ps->Triangles = glamor_triangles;
- glamor_priv->saved_procs.addtraps = ps->AddTraps;
- ps->AddTraps = glamor_add_traps;
+ glamor_priv->saved_procs.addtraps = ps->AddTraps;
+ ps->AddTraps = glamor_add_traps;
- glamor_priv->saved_procs.composite_rects = ps->CompositeRects;
- ps->CompositeRects = glamor_composite_rectangles;
+ glamor_priv->saved_procs.composite_rects = ps->CompositeRects;
+ ps->CompositeRects = glamor_composite_rectangles;
- glamor_priv->saved_procs.glyphs = ps->Glyphs;
- ps->Glyphs = glamor_composite_glyphs;
+ glamor_priv->saved_procs.glyphs = ps->Glyphs;
+ ps->Glyphs = glamor_composite_glyphs;
+ }
glamor_init_vbo(screen);
glamor_init_gradient_shader(screen);
@@ -784,11 +786,13 @@ glamor_close_screen(ScreenPtr screen)
screen->BitmapToRegion = glamor_priv->saved_procs.bitmap_to_region;
screen->BlockHandler = glamor_priv->saved_procs.block_handler;
- ps->Composite = glamor_priv->saved_procs.composite;
- ps->Trapezoids = glamor_priv->saved_procs.trapezoids;
- ps->Triangles = glamor_priv->saved_procs.triangles;
- ps->CompositeRects = glamor_priv->saved_procs.composite_rects;
- ps->Glyphs = glamor_priv->saved_procs.glyphs;
+ if (ps) {
+ ps->Composite = glamor_priv->saved_procs.composite;
+ ps->Trapezoids = glamor_priv->saved_procs.trapezoids;
+ ps->Triangles = glamor_priv->saved_procs.triangles;
+ ps->CompositeRects = glamor_priv->saved_procs.composite_rects;
+ ps->Glyphs = glamor_priv->saved_procs.glyphs;
+ }
screen_pixmap = screen->GetScreenPixmap(screen);
glamor_pixmap_destroy_fbo(screen_pixmap);
--
2.54.0

45
SOURCES/0037-glamor-handle-allocation-failure-in-glamor_create_pi.patch
View File

@ -1,45 +0,0 @@
From 557660af8831f2395e40ad9019104d2119d3cb20 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 25 Oct 2025 16:27:34 -0700
Subject: [PATCH xserver 37/51] glamor: handle allocation failure in
glamor_create_pixmap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported by gcc 15.1:
../glamor/glamor.c: In function glamor_create_pixmap:
../glamor/glamor.c:233:23: warning: potential null pointer dereference
[-Wnull-dereference]
233 | pixmap_priv->type = GLAMOR_TEXTURE_ONLY;
| ~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
../glamor/glamor.c:228:26: warning: potential null pointer dereference
[-Wnull-dereference]
228 | pixmap_priv->is_cbcr = (GLAMOR_CREATE_FORMAT_CBCR & usage) == GLAMOR_CREATE_FORMAT_CBCR;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit cc647f23679ae2beb7b971aa7d1203375c25bb55)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/glamor/glamor.c b/glamor/glamor.c
index 236c45d6d..01fb3ac80 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -220,6 +220,9 @@ glamor_create_pixmap(ScreenPtr screen, int w, int h, int depth,
else
pixmap = fbCreatePixmap(screen, 0, 0, depth, usage);
+ if (!pixmap)
+ return NullPixmap;
+
pixmap_priv = glamor_get_pixmap_private(pixmap);
format = gl_iformat_for_pixmap(pixmap);
--
2.54.0

41
SOURCES/0038-glamor-silence-false-positive-in-glamor_validate_gc.patch
View File

@ -1,41 +0,0 @@
From 7a65240a6e20590814c44ab2286108c59446ba1f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Oct 2025 12:56:13 -0700
Subject: [PATCH xserver 38/51] glamor: silence false positive in
glamor_validate_gc()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We know that if gc->tileIsPixel is false, then gc->tile.pixmap must be
a valid pixmap, but gcc's static analyzer doesn't and needs to be told.
Silences false positive reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_core.c:205:19:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit a79bdc495eaabd770cec03badd74c3b023877ba1)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/glamor/glamor_core.c b/glamor/glamor_core.c
index cb315e2d1..05e37a162 100644
--- a/glamor/glamor_core.c
+++ b/glamor/glamor_core.c
@@ -199,6 +199,8 @@ glamor_validate_gc(GCPtr gc, unsigned long changes, DrawablePtr drawable)
*/
if (changes & GCTile) {
if (!gc->tileIsPixel) {
+ assert(gc->tile.pixmap != NullPixmap);
+
glamor_pixmap_private *pixmap_priv =
glamor_get_pixmap_private(gc->tile.pixmap);
if ((!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
--
2.54.0

93
SOURCES/0039-glamor-handle-allocation-failures-in-glamor_largepix.patch
View File

@ -1,93 +0,0 @@
From c58f85aaaea2613c3049a6032d75d2422d748c71 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Oct 2025 15:39:47 -0700
Subject: [PATCH xserver 39/51] glamor: handle allocation failures in
glamor_largepixmap.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_largepixmap.c:130:17:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL clipped_regions
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_largepixmap.c:235:13:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL result_regions
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_largepixmap.c:365:9:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL clipped_regions
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_largepixmap.c:1175:9:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL source_pixmap_priv
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 84cf20e6ddacbfc62637f156a92d673574c43604)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor_largepixmap.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c
index f9adb93bc..ba347e3d2 100644
--- a/glamor/glamor_largepixmap.c
+++ b/glamor/glamor_largepixmap.c
@@ -77,6 +77,10 @@ __glamor_compute_clipped_regions(int block_w,
clipped_regions = calloc((end_block_x - start_block_x + 1)
* (end_block_y - start_block_y + 1),
sizeof(*clipped_regions));
+ if (clipped_regions == NULL) {
+ *n_region = 0;
+ return NULL;
+ }
DEBUGF("startx %d starty %d endx %d endy %d \n",
start_x, start_y, end_x, end_y);
@@ -216,6 +220,11 @@ glamor_compute_clipped_regions_ext(PixmapPtr pixmap,
inner_block_w)
* ((block_h + inner_block_h - 1) /
inner_block_h), sizeof(*result_regions));
+ if (result_regions == NULL) {
+ *n_region = 0;
+ free(clipped_regions);
+ return NULL;
+ }
k = 0;
for (i = 0; i < *n_region; i++) {
x = box_array[clipped_regions[i].block_idx].x1;
@@ -362,10 +371,14 @@ _glamor_compute_clipped_regions(PixmapPtr pixmap,
DEBUGRegionPrint(region);
if (glamor_pixmap_priv_is_small(pixmap_priv)) {
clipped_regions = calloc(1, sizeof(*clipped_regions));
- clipped_regions[0].region = RegionCreate(NULL, 1);
- clipped_regions[0].block_idx = 0;
- RegionCopy(clipped_regions[0].region, region);
- *n_region = 1;
+ if (clipped_regions) {
+ clipped_regions[0].region = RegionCreate(NULL, 1);
+ clipped_regions[0].block_idx = 0;
+ RegionCopy(clipped_regions[0].region, region);
+ *n_region = 1;
+ }
+ else
+ *n_region = 0;
return clipped_regions;
}
@@ -1172,6 +1185,8 @@ glamor_composite_largepixmap_region(CARD8 op,
/* XXX self-copy... */
need_free_source_pixmap_priv = source_pixmap_priv;
source_pixmap_priv = malloc(sizeof(*source_pixmap_priv));
+ if (source_pixmap_priv == NULL)
+ return FALSE;
*source_pixmap_priv = *need_free_source_pixmap_priv;
need_free_source_pixmap_priv = source_pixmap_priv;
}
--
2.54.0

38
SOURCES/0040-glamor-avoid-null-dereference-in-glamor_dash_setup.patch
View File

@ -1,38 +0,0 @@
From b04a54c567eb0f31bc7d58e47d1adf6b04b3c981 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 28 Oct 2025 18:16:00 -0700
Subject: [PATCH xserver 40/51] glamor: avoid null dereference in
glamor_dash_setup()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_dash.c:152:10:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c6522229b86f9087347b17280b6e5f19345baf9a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor_dash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
index b53ce5c50..ec8bf36bf 100644
--- a/glamor/glamor_dash.c
+++ b/glamor/glamor_dash.c
@@ -149,7 +149,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc)
dash_pixmap = glamor_get_dash_pixmap(gc);
dash_priv = glamor_get_pixmap_private(dash_pixmap);
- if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
+ if (!dash_priv || !GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
goto bail;
glamor_make_current(glamor_priv);
--
2.54.0

38
SOURCES/0041-glamor-avoid-null-dereference-in-glamor_composite_cl.patch
View File

@ -1,38 +0,0 @@
From 3ab3771224837193aaae44d95b4f7dd6552c64ad Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 2 Nov 2025 11:23:37 -0800
Subject: [PATCH xserver 41/51] glamor: avoid null dereference in
glamor_composite_clipped_region()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_render.c:1577:21:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6a4ec30af49bcbf61cf8ebc3a8f5541abac9024d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor_render.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glamor/glamor_render.c b/glamor/glamor_render.c
index d5737018f..7a037e47c 100644
--- a/glamor/glamor_render.c
+++ b/glamor/glamor_render.c
@@ -1465,7 +1465,7 @@ glamor_composite_clipped_region(CARD8 op,
if (source
&& ((!source->pDrawable
&& (source->pSourcePict->type != SourcePictTypeSolidFill))
- || (source->pDrawable
+ || (source->pDrawable && source_pixmap
&& !GLAMOR_PIXMAP_PRIV_HAS_FBO(source_pixmap_priv)
&& (source_pixmap->drawable.width != width
|| source_pixmap->drawable.height != height)))) {
--
2.54.0

49
SOURCES/0042-glamor-avoid-double-free-in-glamor_make_pixmap_expor.patch
View File

@ -1,49 +0,0 @@
From 90358719e7eec514929256d3cf75f2dbe132f97d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 2 Nov 2025 12:16:56 -0800
Subject: [PATCH xserver 42/51] glamor: avoid double free in
glamor_make_pixmap_exportable()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported by gcc 15.1:
../glamor/glamor_egl.c:320:9:
warning: double-free of modifiers [CWE-415] [-Wanalyzer-double-free]
[...]
│ 732 |│ free(*modifiers);
│ |│ ~~~~~~~~~~~~~~~~
│ |│ |
│ |└───────>(25) ...to here
│ | (26) first free here
[...]
│ 320 | free(modifiers);
│ | ~~~~~~~~~~~~~~~
│ | |
│ | (28) ⚠️ second free here; first free was at (26)
Fixes: cef12efc1 ("glamor: Implement GetSupportedModifiers")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 3e9baa20f39b0502efdaf48c2ca7e2f58d1e3120)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
glamor/glamor_egl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/glamor/glamor_egl.c b/glamor/glamor_egl.c
index 4120c2e7d..3687eb675 100644
--- a/glamor/glamor_egl.c
+++ b/glamor/glamor_egl.c
@@ -680,6 +680,7 @@ glamor_get_modifiers(ScreenPtr screen, uint32_t format,
if (!eglQueryDmaBufModifiersEXT(glamor_egl->display, format, num,
(EGLuint64KHR *) *modifiers, NULL, &num)) {
free(*modifiers);
+ *modifiers = NULL;
return FALSE;
}
--
2.54.0

41
SOURCES/0043-xkb-fix-incorrect-size-check-when-growing-doodads-in.patch
View File

@ -1,41 +0,0 @@
From 0458dead41dbea8b4675c86d7151a62b7efa6237 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Tue, 14 Apr 2026 12:06:51 +0300
Subject: [PATCH xserver 43/51] xkb: fix incorrect size check when growing
doodads in a section
In XkbAddGeomDoodad(), when adding a doodad to a specific section
(section != NULL), there is a comparison between section->num_doodads
and geom->sz_doodads instead of the section's own section->sz_doodads.
The else branch (global geometry doodads) was already correct.
Compare section->num_doodads against section->sz_doodads to prevent
a potential out-of-bounds.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit dd8b8cf49d326802c53b01835618a7e3765d91cb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/XKBGAlloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c
index f0cda24fe..9b71f6121 100644
--- a/xkb/XKBGAlloc.c
+++ b/xkb/XKBGAlloc.c
@@ -769,7 +769,7 @@ XkbAddGeomDoodad(XkbGeometryPtr geom, XkbSectionPtr section, Atom name)
return doodad;
}
if (section) {
- if ((section->num_doodads >= geom->sz_doodads) &&
+ if ((section->num_doodads >= section->sz_doodads) &&
(_XkbAllocDoodads(section, 1) != Success)) {
return NULL;
}
--
2.54.0

43
SOURCES/0044-xkb-fix-potential-buff-overflow-in-XkbVModIndexText-.patch
View File

@ -1,43 +0,0 @@
From 6164f19b0df91d77d814ae7ee4e0876f2583cffe Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Tue, 14 Apr 2026 13:22:35 +0300
Subject: [PATCH xserver 44/51] xkb: fix potential buff overflow in
XkbVModIndexText for XkbCFile format
len calculation and strncpy limit were off by one when prefixing
"vmod_" to the virtual modifier name. This could write the final
NULL one byte past the allocated buffer from tbGetBuffer().
Use proper allocation len for prefix to avoid writing out-of-bounds.
Found by Linux Verification Center (linuxtesting.org) with SVACE
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 5dfb435c1d864bf154369cb86d085d4159730378)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/xkbtext.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index 002626450..c2db41f7a 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -129,11 +129,11 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
len = strlen(tmp) + 1;
if (format == XkbCFile)
- len += 4;
+ len += 5;
rtrn = tbGetBuffer(len);
if (format == XkbCFile) {
strcpy(rtrn, "vmod_");
- strncpy(&rtrn[5], tmp, len - 4);
+ strncpy(&rtrn[5], tmp, len - 5);
}
else
strncpy(rtrn, tmp, len);
--
2.54.0

52
SOURCES/0046-xkb-Fix-out-of-bounds-array-access-in-_CheckSetShape.patch
View File

@ -1,52 +0,0 @@
From 2cafacd074770724046ee3add86467dd6a71e72e Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Sat, 18 Apr 2026 07:34:51 +1000
Subject: [PATCH xserver 46/51] xkb: Fix out-of-bounds array access in
_CheckSetShapes()
The primaryNdx and approxNdx fields in the shape wire description are
attacker-controlled CARD8 values from the client request. They are used
to index into the shape->outlines[] array, but were only checked against
XkbNoShape (0xff) and never validated against the actual number of
outlines (shapeWire->nOutlines).
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit 86a321ad98213957bbb56f295417b0939326718b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/xkb.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 887b87b07..c1ec0c516 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5566,10 +5566,22 @@ _CheckSetShapes(XkbGeometryPtr geom,
ol->num_points = olWire->nPoints;
olWire = (xkbOutlineWireDesc *)ptWire;
}
- if (shapeWire->primaryNdx != XkbNoShape)
+ if (shapeWire->primaryNdx != XkbNoShape) {
+ if (shapeWire->primaryNdx >= shapeWire->nOutlines) {
+ client->errorValue = _XkbErrCode3(0x08, shapeWire->primaryNdx,
+ shapeWire->nOutlines);
+ return BadValue;
+ }
shape->primary = &shape->outlines[shapeWire->primaryNdx];
- if (shapeWire->approxNdx != XkbNoShape)
+ }
+ if (shapeWire->approxNdx != XkbNoShape) {
+ if (shapeWire->approxNdx >= shapeWire->nOutlines) {
+ client->errorValue = _XkbErrCode3(0x08, shapeWire->approxNdx,
+ shapeWire->nOutlines);
+ return BadValue;
+ }
shape->approx = &shape->outlines[shapeWire->approxNdx];
+ }
shapeWire = (xkbShapeWireDesc *) olWire;
}
wire = (char *) shapeWire;
--
2.54.0

41
SOURCES/0047-xkb-Fix-off-by-one-in-color-index-validation-in-_Che.patch
View File

@ -1,41 +0,0 @@
From b81807ab582993a0a45ccb4feb28dccf88ac3fed Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Sat, 18 Apr 2026 07:35:15 +1000
Subject: [PATCH xserver 47/51] xkb: Fix off-by-one in color index validation
in _CheckSetGeom()
The bounds checks for baseColorNdx and labelColorNdx in _CheckSetGeom()
use '>' instead of '>=' when comparing against req->nColors. Since
nColors is a count and valid indices are 0 to nColors-1, an index equal
to nColors is one past the end of the array.
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit 6b6e8020b902e48e3330f9a54cd439a51988bc50)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/xkb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index c1ec0c516..c6e2bf40c 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5631,12 +5631,12 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
client->errorValue = _XkbErrCode3(0x01, 2, req->nColors);
return BadValue;
}
- if (req->baseColorNdx > req->nColors) {
+ if (req->baseColorNdx >= req->nColors) {
client->errorValue =
_XkbErrCode3(0x03, req->nColors, req->baseColorNdx);
return BadMatch;
}
- if (req->labelColorNdx > req->nColors) {
+ if (req->labelColorNdx >= req->nColors) {
client->errorValue =
_XkbErrCode3(0x03, req->nColors, req->labelColorNdx);
return BadMatch;
--
2.54.0

55
SOURCES/0048-xkb-Fix-off-by-one-and-NULL-dereferences-in-_CheckSe.patch
View File

@ -1,55 +0,0 @@
From a1b025ef5278cd9e404136e9b4ef9aa769112533 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Sat, 18 Apr 2026 07:35:53 +1000
Subject: [PATCH xserver 48/51] xkb: Fix off-by-one and NULL dereferences in
_CheckSetOverlay()
Off-by-one in rowUnder validation: the bounds check uses '>' instead
of '>=' when comparing rWire->rowUnder against section->num_rows.
Since num_rows is a count and valid indices are 0 to num_rows-1,
rowUnder == num_rows passes the check but is one past the valid range.
XkbAddGeomOverlayRow() uses this as an array index, causing an
out-of-bounds read on section->rows[].
And throw in two alloc checks while we're at it.
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit ed19312c4bda0a8f66b236348ffc553e5d8d2a09)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/xkb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index c6e2bf40c..b2c2dfa24 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5362,6 +5362,8 @@ _CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
}
CHK_ATOM_ONLY(olWire->name);
ol = XkbAddGeomOverlay(section, olWire->name, olWire->nRows);
+ if (!ol)
+ return BadAlloc;
rWire = (xkbOverlayRowWireDesc *) &olWire[1];
for (r = 0; r < olWire->nRows; r++) {
register int k;
@@ -5371,12 +5373,14 @@ _CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
return BadLength;
- if (rWire->rowUnder > section->num_rows) {
+ if (rWire->rowUnder >= section->num_rows) {
client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
rWire->rowUnder);
return BadMatch;
}
row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
+ if (!row)
+ return BadAlloc;
kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
for (k = 0; k < rWire->nKeys; k++, kWire++) {
if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
--
2.54.0

50
SOURCES/0049-xkb-Add-bounds-check-for-action-data-in-CheckKeyActi.patch
View File

@ -1,50 +0,0 @@
From fa79e0f32fbdae0591fe07307ea4bf3ff2541fc2 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Sat, 18 Apr 2026 07:38:14 +1000
Subject: [PATCH xserver 49/51] xkb: Add bounds check for action data in
CheckKeyActions()
CheckKeyActions() validates the per-key action count bytes individually
but does not verify that the computed total action data region falls
within the request buffer before advancing the wire pointer past it.
After the loop, the function calculates the final wire position as
wire + nActs * sizeof(XkbAnyAction), where nActs is the sum of per-key
action counts read from the request. The upstream length validation in
_XkbSetMapCheckLength() uses req->totalActs from the request header,
not the computed nActs. If a crafted request provides a totalActs value
that passes the length check but per-key action counts that sum to a
different nActs, the wire pointer could advance past the actual request
buffer.
The subsequent SetKeyActions() function uses memcpy to read from this
potentially out-of-bounds region, which could leak heap data or cause
a crash.
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit a439a7340ad976983ef34eca4f537831b38e191f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
xkb/xkb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b2c2dfa24..fc0476056 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1863,6 +1863,11 @@ CheckKeyActions(ClientPtr client,
if (req->nKeyActs % 4)
wire += 4 - (req->nKeyActs % 4);
*wireRtrn = (CARD8 *) (((XkbAnyAction *) wire) + nActs);
+ if (nActs > 0 &&
+ !_XkbCheckRequestBounds(client, req, wire, *wireRtrn)) {
+ *nActsRtrn = _XkbErrCode2(0x25, nActs);
+ return 0;
+ }
*nActsRtrn = nActs;
return 1;
}
--
2.54.0

35
SOURCES/0050-present-actually-return-the-created-notifies.patch
View File

@ -1,35 +0,0 @@
From 698d94109a7839785857b9b6295df37e26b58337 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 6 May 2026 11:45:15 +1000
Subject: [PATCH xserver 50/51] present: actually return the created notifies
present_create_notifies() creates an array of notifies but never returns
them to the caller, despite them being passed individually to
present_add_window_notify(). The caller proceeds with a NULL notifies
array, eventually causing an OOB in present_vblank_notify() when
vblank->notifies is NULL.
Reported-by: Feng Ning, Innora Pte. Ltd.
(cherry picked from commit f70cc16c6831c9faa14c1f2a8588c6efb6ede263)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
present/present_notify.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/present/present_notify.c b/present/present_notify.c
index 924de380a..69dfe62b4 100644
--- a/present/present_notify.c
+++ b/present/present_notify.c
@@ -96,6 +96,8 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
added++;
}
+
+ *p_notifies = notifies;
return Success;
bail:
--
2.54.0

70
SOURCES/0051-glx-reject-negative-size-in-FeedbackBuffer-and-Selec.patch
View File

@ -1,70 +0,0 @@
From 0eb7bf6f31e0af293f3b92b6ed11d5e3bb998302 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 17 Apr 2026 12:02:13 +1000
Subject: [PATCH xserver 51/51] glx: reject negative size in FeedbackBuffer and
SelectBuffer requests
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit 54860e6c7f513739adf225a7998004f230db81a0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
glx/single2.c | 8 ++++++++
glx/single2swap.c | 8 ++++++++
2 files changed, 16 insertions(+)
diff --git a/glx/single2.c b/glx/single2.c
index 36a01f0cb..948d00f1d 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -61,6 +61,10 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
size = *(GLsizei *) (pc + 0);
type = *(GLenum *) (pc + 4);
+ if (size < 0) {
+ cl->client->errorValue = size;
+ return BadValue;
+ }
if (cx->feedbackBufSize < size) {
cx->feedbackBuf = reallocarray(cx->feedbackBuf,
(size_t) size, __GLX_SIZE_FLOAT32);
@@ -91,6 +95,10 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
size = *(GLsizei *) (pc + 0);
+ if (size < 0) {
+ cl->client->errorValue = size;
+ return BadValue;
+ }
if (cx->selectBufSize < size) {
cx->selectBuf = reallocarray(cx->selectBuf,
(size_t) size, __GLX_SIZE_CARD32);
diff --git a/glx/single2swap.c b/glx/single2swap.c
index b140946ba..fdc093900 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -62,6 +62,10 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLX_SWAP_INT(pc + 4);
size = *(GLsizei *) (pc + 0);
type = *(GLenum *) (pc + 4);
+ if (size < 0) {
+ cl->client->errorValue = size;
+ return BadValue;
+ }
if (cx->feedbackBufSize < size) {
cx->feedbackBuf = reallocarray(cx->feedbackBuf,
(size_t) size, __GLX_SIZE_FLOAT32);
@@ -96,6 +100,10 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
__GLX_SWAP_INT(pc + 0);
size = *(GLsizei *) (pc + 0);
+ if (size < 0) {
+ cl->client->errorValue = size;
+ return BadValue;
+ }
if (cx->selectBufSize < size) {
cx->selectBuf = reallocarray(cx->selectBuf,
(size_t) size, __GLX_SIZE_CARD32);
--
2.54.0

164
SPECS/xorg-x11-server.spec
View File

@ -46,7 +46,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.11
Release: 28%{?gitdate:.%{gitdate}}%{?dist}.2
Release: 22%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@ -175,127 +175,6 @@ Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch
Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch
# Related to CVE-2024-21886
Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch
# Fix compilation error on i686
Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
# Fix copy and paste error in CVE-2024-0229
Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
# CVE-2024-31080
Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
# CVE-2024-31081
Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
# CVE-2024-31082
Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
# CVE-2024-31083
Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
# CVE-2024-9632
Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
# CVE-2025-49175: Out-of-bounds access in X Rendering extension
Patch10051: 0001-render-Avoid-0-or-less-animated-cursors.patch
# CVE-2025-49176: Integer overflow in Big Requests Extension
Patch10052: 0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
Patch10053: 0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
# CVE-2025-49178: Unprocessed client request via bytes to ignore
Patch10054: 0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
# CVE-2025-49179: Integer overflow in X Record extension
Patch10055: 0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
# CVE-2025-49180: Integer overflow in RandR extension
Patch10056: 0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
Patch10057: 0007-xfree86-Check-for-RandR-provider-functions.patch
# CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Patch10058: 0001-present-Fix-use-after-free-in-present_create_notifie.patch
# CVE-2025-62230: Use-after-free in Xkb client resource removal
Patch10059: 0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
Patch10060: 0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
# CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
Patch10061: 0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
# CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
Patch10062: 0001-xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
# CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
Patch10063: 0002-xkb-Fix-bounds-check-in-_CheckSetGeom.patch
# CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
Patch10064: 0003-miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
# CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
Patch10065: 0004-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
# CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()
Patch10066: 0005-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
Patch10067: 0006-xkb-Add-more-_XkbCheckRequestBounds.patch
# ZDI-CAN-30159 - CVE-2026-50257 - XSYNC Use-After-Free in miSyncDestroyFence()
# ZDI-CAN-30163 - CVE-2026-50260 - XSYNC Use-After-Free in FreeCounter()
Patch10068: 0001-sync-fix-deletion-of-counters-and-fences.patch
# ZDI-CAN-30164 - CVE-2026-50261 - XSYNC Use-After-Free in SyncChangeCounter()
Patch10069: 0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch
# ZDI-CAN-30160 - CVE-2026-50258 - XKB Key Types Stack-based Buffer Overflow
Patch10070: 0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch
# ZDI-CAN-30161 - CVE-2026-50259 - XKB SetMap Request Stack-based Buffer Overflow
Patch10071: 0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch
# ZDI-CAN-30165 - CVE-2026-50262 - GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
Patch10072: 0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch
# ZDI-CAN-30168 - CVE-2026-50263 - CreateSaverWindow Use-After-Free Information Disclosure
Patch10073: 0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch
# ZDI-CAN-30136 - CVE-2026-50256 - Font Alias Stack-based Buffer Overflow
Patch10074: 0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch
# CVE-2026-50264 - DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
Patch10075: 0008-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch
Patch10076: 0009-dri2-Deduplicate-attachments-in-do_get_buffer.patch
# Other security related fixes
Patch10077: 0001-os-avoid-potential-out-of-bounds-access-at-logVHdrMe.patch
Patch10078: 0002-dix-avoid-null-ptr-deref-at-doListFontsWithInfo.patch
Patch10079: 0003-panoramix-avoid-null-dereference-in-PanoramiXMaybeAd.patch
Patch10080: 0004-panoramix-avoid-null-dereference-in-PanoramiXConsoli.patch
Patch10081: 0005-Xext-shm-avoid-null-dereference-in-ShmInitScreenPriv.patch
Patch10082: 0006-Xext-sync-avoid-null-dereference-if-SysCounterGetPri.patch
Patch10083: 0007-Xext-sync-avoid-null-dereference-in-init_system_idle.patch
Patch10084: 0008-Xext-sync-Avoid-dereference-of-invalid-pointer-if-ma.patch
Patch10085: 0009-Xext-vidmode-avoid-null-dereference-if-VidModeCreate.patch
Patch10086: 0010-Xext-xres-avoid-null-dereference-in-ProcXResQueryCli.patch
Patch10087: 0011-Xext-xselinux-add-fast-path-to-ProcSELinuxListSelect.patch
Patch10088: 0012-Xext-xselinux-avoid-memory-leak-in-SELinuxAtomToSID.patch
Patch10089: 0013-Xext-xtest-avoid-null-dereference-in-ProcXTestFakeIn.patch
Patch10090: 0014-Xi-avoid-null-dereference-if-wOtherInputMasks-return.patch
Patch10091: 0015-Xi-set-value-for-led_values-in-CopySwapKbdFeedback.patch
Patch10092: 0016-Xi-handle-allocation-failure-in-ProcXGetDeviceDontPr.patch
Patch10093: 0017-Xi-handle-allocation-failure-in-ProcXListInputDevice.patch
Patch10094: 0018-Xi-handle-allocation-failure-in-add_master_func.patch
Patch10095: 0019-dix-handle-allocation-failure-in-DeviceFocusEvent.patch
Patch10096: 0020-dix-avoid-null-dereference-if-wOtherInputMasks-retur.patch
Patch10097: 0021-dix-assert-that-size-of-buffers-to-swap-is-a-multipl.patch
Patch10098: 0022-dix-handle-allocation-failure-in-ChangeWindowDeviceC.patch
Patch10099: 0023-xfree86-Fix-builds-with-gcc-Wpedantic.patch
Patch10100: 0024-dix-set-errorValue-correctly-when-XID-lookup-fails-i.patch
Patch10101: 0025-os-avoid-closing-null-fd-at-Fopen.patch
Patch10102: 0026-render-fix-multiple-mem-leaks-on-err-paths.patch
Patch10103: 0027-dix-avoid-null-ptr-deref-at-doListFontsAndAliases.patch
Patch10104: 0028-randr-clear-primary-screen-s-primaryOutput-when-the-.patch
Patch10105: 0029-Make-xf86CompatOutput-return-NULL-when-there-are-no-.patch
Patch10106: 0030-Better-fix-for-xf86CompatOut-when-there-are-no-priva.patch
Patch10107: 0031-xf86-check-return-value-of-XF86_CRTC_CONFIG_PTR-in-x.patch
Patch10108: 0032-os-include-assert.h-in-ospoll.c.patch
Patch10109: 0033-os-make-FormatInt64-handle-LONG_MIN-correctly.patch
Patch10110: 0034-os-use-close-on-exec-for-X-server-socket-to-prevent-.patch
Patch10111: 0035-xf86bigfont-fix-Wimplicit-function-declaration-error.patch
Patch10112: 0036-glamor-handle-potential-NULL-return-from-GetPictureS.patch
Patch10113: 0037-glamor-handle-allocation-failure-in-glamor_create_pi.patch
Patch10114: 0038-glamor-silence-false-positive-in-glamor_validate_gc.patch
Patch10115: 0039-glamor-handle-allocation-failures-in-glamor_largepix.patch
Patch10116: 0040-glamor-avoid-null-dereference-in-glamor_dash_setup.patch
Patch10117: 0041-glamor-avoid-null-dereference-in-glamor_composite_cl.patch
Patch10118: 0042-glamor-avoid-double-free-in-glamor_make_pixmap_expor.patch
Patch10119: 0043-xkb-fix-incorrect-size-check-when-growing-doodads-in.patch
Patch10120: 0044-xkb-fix-potential-buff-overflow-in-XkbVModIndexText-.patch
# No XIGrabtypeGestureSwipeBegin in el8
# Patch10121: 0045-Xi-add-missing-gesture-grab-type-checks-in-ProcXIPas.patch
Patch10122: 0046-xkb-Fix-out-of-bounds-array-access-in-_CheckSetShape.patch
Patch10123: 0047-xkb-Fix-off-by-one-in-color-index-validation-in-_Che.patch
Patch10124: 0048-xkb-Fix-off-by-one-and-NULL-dereferences-in-_CheckSe.patch
Patch10125: 0049-xkb-Add-bounds-check-for-action-data-in-CheckKeyActi.patch
Patch10126: 0050-present-actually-return-the-created-notifies.patch
Patch10127: 0051-glx-reject-negative-size-in-FeedbackBuffer-and-Selec.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2237
Patch10128: 0001-dix-Silence-a-compiler-warning-in-doListFontsAndAlia.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1257
Patch10129: 0001-xkb-fix-int-size-mismatch.patch
BuildRequires: make
BuildRequires: systemtap-sdt-devel
@ -438,7 +317,6 @@ License: MIT and GPLv2
Requires: xorg-x11-server-common >= %{version}-%{release}
# required for xvfb-run
Requires: xorg-x11-xauth
Requires: util-linux
Provides: Xvfb
%description Xvfb
@ -724,45 +602,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Fri Jun 12 2026 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-28.2
- Other security related fixes
Resolves: https://redhat.atlassian.net/browse/RHEL-184289
* Wed Jun 10 2026 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-28.1
- CVE fix for: CVE-2026-50256, CVE-2026-50257, CVE-2026-50258,
CVE-2026-50259, CVE-2026-50260, CVE-2026-50261,
CVE-2026-50262, CVE-2026-50263, CVE-2026-50264
Resolves: https://redhat.atlassian.net/browse/RHEL-182442
* Tue Apr 14 2026 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-28
- CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001
CVE-2026-34002, CVE-2026-34003
Resolves: https://redhat.atlassian.net/browse/RHEL-163216
Resolves: https://redhat.atlassian.net/browse/RHEL-163298
Resolves: https://redhat.atlassian.net/browse/RHEL-163229
* Thu Oct 30 2025 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-27
- CVE fix for: CVE-2025-62229 (RHEL-119953), CVE-2025-62230 (RHEL-120027),
CVE-2025-62231 (RHEL-124993)
* Wed Jun 18 2025 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-26
- CVE fix for: CVE-2025-49175 (RHEL-97273), CVE-2025-49176 (RHEL-97329),
CVE-2025-49178 (RHEL-97369), CVE-2025-49179 (RHEL-97422),
CVE-2025-49180 (RHEL-97235)
* Tue Oct 29 2024 José Expósito <jexposit@redhat.com> - 1.20.11-25
- CVE fix for CVE-2024-9632
* Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24
- Fix regression caused by the fix for CVE-2024-31083
* Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23
- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and
CVE-2024-31083
- Add util-linux as a dependency of Xvfb
- Fix compilation error on i686
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-22
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.4-24
- Fix use after free related to CVE-2024-21886
* Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-21