Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,45 +0,0 @@
|
||||
From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 22 Mar 2024 18:51:45 -0700
|
||||
Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
|
||||
to send reply
|
||||
|
||||
CVE-2024-31080
|
||||
|
||||
Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
|
||||
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
||||
---
|
||||
Xi/xiselectev.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
|
||||
index edcb8a0d3..ac1494987 100644
|
||||
--- a/Xi/xiselectev.c
|
||||
+++ b/Xi/xiselectev.c
|
||||
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
|
||||
InputClientsPtr others = NULL;
|
||||
xXIEventMask *evmask = NULL;
|
||||
DeviceIntPtr dev;
|
||||
+ uint32_t length;
|
||||
|
||||
REQUEST(xXIGetSelectedEventsReq);
|
||||
REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
|
||||
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* save the value before SRepXIGetSelectedEvents swaps it */
|
||||
+ length = reply.length;
|
||||
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
|
||||
|
||||
if (reply.num_masks)
|
||||
- WriteToClient(client, reply.length * 4, buffer);
|
||||
+ WriteToClient(client, length * 4, buffer);
|
||||
|
||||
free(buffer);
|
||||
return Success;
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 22 Jan 2024 14:22:12 +1000
|
||||
Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
|
||||
event
|
||||
|
||||
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 7b7ba1098..c1e6ac600 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
case 6:
|
||||
- ev->valuator2 = v->axisVal[first + 5];
|
||||
+ ev->valuator5 = v->axisVal[first + 5];
|
||||
case 5:
|
||||
- ev->valuator2 = v->axisVal[first + 4];
|
||||
+ ev->valuator4 = v->axisVal[first + 4];
|
||||
case 4:
|
||||
- ev->valuator2 = v->axisVal[first + 3];
|
||||
+ ev->valuator3 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,54 +0,0 @@
|
||||
From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Fri, 19 Jan 2024 13:05:51 +0100
|
||||
Subject: [PATCH] ephyr: Fix incompatible pointer type build error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fix a compilation error on 32 bits architectures with gcc 14:
|
||||
|
||||
ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
|
||||
ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)’} [-Wincompatible-pointer-types]
|
||||
154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
|
||||
| ^
|
||||
ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)’} [-Wincompatible-pointer-types]
|
||||
155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
|
||||
| ^
|
||||
|
||||
Build error logs:
|
||||
https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
---
|
||||
hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c
|
||||
index 4dd15cf41..b5eae48c8 100644
|
||||
--- a/hw/kdrive/ephyr/ephyr_glamor_xv.c
|
||||
+++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c
|
||||
@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup)
|
||||
|
||||
static int
|
||||
ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen,
|
||||
- Atom attribute, INT32 value, void *data)
|
||||
+ Atom attribute, int value, void *data)
|
||||
{
|
||||
- return glamor_xv_set_port_attribute(data, attribute, value);
|
||||
+ return glamor_xv_set_port_attribute(data, attribute, (INT32)value);
|
||||
}
|
||||
|
||||
static int
|
||||
ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen,
|
||||
- Atom attribute, INT32 *value, void *data)
|
||||
+ Atom attribute, int *value, void *data)
|
||||
{
|
||||
- return glamor_xv_get_port_attribute(data, attribute, value);
|
||||
+ return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value);
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,72 +0,0 @@
|
||||
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
||||
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
|
||||
|
||||
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
||||
then frees it using FreeGlyph() to decrease the reference count, after
|
||||
AddGlyph() has increased it.
|
||||
|
||||
AddGlyph() however may chose to reuse an existing glyph if it's already
|
||||
in the glyphSet, and free the glyph that was given, in which case the
|
||||
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
||||
already freed glyph, as reported by ASan:
|
||||
|
||||
READ of size 4 thread T0
|
||||
#0 in FreeGlyph xserver/render/glyph.c:252
|
||||
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
||||
#2 in Dispatch xserver/dix/dispatch.c:546
|
||||
#3 in dix_main xserver/dix/main.c:271
|
||||
#4 in main xserver/dix/stubmain.c:34
|
||||
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
||||
#7 (/usr/bin/Xwayland+0x44fe4)
|
||||
Address is located 0 bytes inside of 64-byte region
|
||||
freed by thread T0 here:
|
||||
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
||||
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
||||
#2 in AddGlyph xserver/render/glyph.c:295
|
||||
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
||||
#4 in Dispatch xserver/dix/dispatch.c:546
|
||||
#5 in dix_main xserver/dix/main.c:271
|
||||
#6 in main xserver/dix/stubmain.c:34
|
||||
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
previously allocated by thread T0 here:
|
||||
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
||||
#1 in AllocateGlyph xserver/render/glyph.c:355
|
||||
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
||||
#3 in Dispatch xserver/dix/dispatch.c:546
|
||||
#4 in dix_main xserver/dix/main.c:271
|
||||
#5 in main xserver/dix/stubmain.c:34
|
||||
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
||||
|
||||
To avoid that, make sure not to free the given glyph in AddGlyph().
|
||||
|
||||
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
||||
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
||||
|
||||
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
|
||||
---
|
||||
render/glyph.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index 13991f8a1..5fa7f3b5b 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
||||
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
||||
TRUE, glyph->sha1);
|
||||
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
||||
- FreeGlyphPicture(glyph);
|
||||
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
||||
glyph = gr->glyph;
|
||||
}
|
||||
else if (gr->glyph != glyph) {
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,54 +0,0 @@
|
||||
From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
||||
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
||||
buffer.
|
||||
|
||||
However, It didn't update its size properly. It updated `num_si` only,
|
||||
without updating `size_si`.
|
||||
|
||||
This may lead to local privilege escalation if the server is run as root
|
||||
or remote code execution (e.g. x11 over ssh).
|
||||
|
||||
CVE-2024-9632, ZDI-CAN-24756
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index f203270d5..70e8279aa 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
||||
- compat->num_si = req->firstSI + req->nSI;
|
||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
- compat->num_si,
|
||||
+ compat->size_si,
|
||||
sizeof(XkbSymInterpretRec));
|
||||
if (!compat->sym_interpret) {
|
||||
- compat->num_si = 0;
|
||||
+ compat->num_si = compat->size_si = 0;
|
||||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.46.2
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 22 Mar 2024 18:56:27 -0700
|
||||
Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
|
||||
to send reply
|
||||
|
||||
CVE-2024-31081
|
||||
|
||||
Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
||||
---
|
||||
Xi/xipassivegrab.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
|
||||
index c9ac2f855..896233bec 100644
|
||||
--- a/Xi/xipassivegrab.c
|
||||
+++ b/Xi/xipassivegrab.c
|
||||
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
||||
GrabParameters param;
|
||||
void *tmp;
|
||||
int mask_len;
|
||||
+ uint32_t length;
|
||||
|
||||
REQUEST(xXIPassiveGrabDeviceReq);
|
||||
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
|
||||
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
|
||||
+ length = rep.length;
|
||||
WriteReplyToClient(client, sizeof(rep), &rep);
|
||||
if (rep.num_modifiers)
|
||||
- WriteToClient(client, rep.length * 4, modifiers_failed);
|
||||
+ WriteToClient(client, length * 4, modifiers_failed);
|
||||
|
||||
out:
|
||||
free(modifiers_failed);
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 22 Mar 2024 19:07:34 -0700
|
||||
Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
|
||||
length to send reply
|
||||
|
||||
CVE-2024-31082
|
||||
|
||||
Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
||||
---
|
||||
hw/xquartz/xpr/appledri.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
|
||||
index 77574655b..40422b61a 100644
|
||||
--- a/hw/xquartz/xpr/appledri.c
|
||||
+++ b/hw/xquartz/xpr/appledri.c
|
||||
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||||
xAppleDRICreatePixmapReply rep;
|
||||
int width, height, pitch, bpp;
|
||||
void *ptr;
|
||||
+ CARD32 stringLength;
|
||||
|
||||
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
|
||||
|
||||
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||||
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
|
||||
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
|
||||
|
||||
+ stringLength = rep.stringLength; /* save unswapped value */
|
||||
if (client->swapped) {
|
||||
swaps(&rep.sequenceNumber);
|
||||
swapl(&rep.length);
|
||||
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||||
}
|
||||
|
||||
WriteToClient(client, sizeof(rep), &rep);
|
||||
- WriteToClient(client, rep.stringLength, path);
|
||||
+ WriteToClient(client, stringLength, path);
|
||||
|
||||
return Success;
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,112 +0,0 @@
|
||||
From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 30 Jan 2024 13:13:35 +1000
|
||||
Subject: [PATCH 4/4] render: fix refcounting of glyphs during
|
||||
ProcRenderAddGlyphs
|
||||
|
||||
Previously, AllocateGlyph would return a new glyph with refcount=0 and a
|
||||
re-used glyph would end up not changing the refcount at all. The
|
||||
resulting glyph_new array would thus have multiple entries pointing to
|
||||
the same non-refcounted glyphs.
|
||||
|
||||
AddGlyph may free a glyph, resulting in a UAF when the same glyph
|
||||
pointer is then later used.
|
||||
|
||||
Fix this by returning a refcount of 1 for a new glyph and always
|
||||
incrementing the refcount for a re-used glyph, followed by dropping that
|
||||
refcount back down again when we're done with it.
|
||||
|
||||
CVE-2024-31083, ZDI-CAN-22880
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
||||
---
|
||||
render/glyph.c | 5 +++--
|
||||
render/glyphstr_priv.h | 1 +
|
||||
render/render.c | 15 +++++++++++----
|
||||
3 files changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index 850ea8440..13991f8a1 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
|
||||
}
|
||||
}
|
||||
|
||||
-static void
|
||||
+void
|
||||
FreeGlyph(GlyphPtr glyph, int format)
|
||||
{
|
||||
CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
|
||||
+ BUG_RETURN(glyph->refcnt == 0);
|
||||
if (--glyph->refcnt == 0) {
|
||||
GlyphRefPtr gr;
|
||||
int i;
|
||||
@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
|
||||
glyph = (GlyphPtr) malloc(size);
|
||||
if (!glyph)
|
||||
return 0;
|
||||
- glyph->refcnt = 0;
|
||||
+ glyph->refcnt = 1;
|
||||
glyph->size = size + sizeof(xGlyphInfo);
|
||||
glyph->info = *gi;
|
||||
dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
|
||||
diff --git a/render/glyphstr.h b/render/glyphstr.h
|
||||
index 2f51bd244..3b1d806d1 100644
|
||||
--- a/render/glyphstr.h
|
||||
+++ b/render/glyphstr.h
|
||||
@@ -108,6 +108,7 @@ extern Bool
|
||||
extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
|
||||
|
||||
extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
|
||||
+extern void FreeGlyph(GlyphPtr glyph, int format);
|
||||
|
||||
extern Bool
|
||||
ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index 29c5055c6..fe5e37dd9 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
|
||||
if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
|
||||
glyph_new->found = TRUE;
|
||||
+ ++glyph_new->glyph->refcnt;
|
||||
}
|
||||
else {
|
||||
GlyphPtr glyph;
|
||||
@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
- for (i = 0; i < nglyphs; i++)
|
||||
+ for (i = 0; i < nglyphs; i++) {
|
||||
AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
|
||||
+ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
|
||||
+ }
|
||||
|
||||
if (glyphsBase != glyphsLocal)
|
||||
free(glyphsBase);
|
||||
@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
FreePicture((void *) pSrc, 0);
|
||||
if (pSrcPix)
|
||||
FreeScratchPixmapHeader(pSrcPix);
|
||||
- for (i = 0; i < nglyphs; i++)
|
||||
- if (glyphs[i].glyph && !glyphs[i].found)
|
||||
- free(glyphs[i].glyph);
|
||||
+ for (i = 0; i < nglyphs; i++) {
|
||||
+ if (glyphs[i].glyph) {
|
||||
+ --glyphs[i].glyph->refcnt;
|
||||
+ if (!glyphs[i].found)
|
||||
+ free(glyphs[i].glyph);
|
||||
+ }
|
||||
+ }
|
||||
if (glyphsBase != glyphsLocal)
|
||||
free(glyphsBase);
|
||||
return err;
|
||||
--
|
||||
2.44.0
|
||||
|
@ -46,7 +46,7 @@
|
||||
Summary: X.Org X11 X server
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 25%{?gitdate:.%{gitdate}}%{?dist}
|
||||
Release: 22%{?gitdate:.%{gitdate}}%{?dist}
|
||||
URL: http://www.x.org
|
||||
License: MIT
|
||||
Group: User Interface/X
|
||||
@ -175,21 +175,6 @@ Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch
|
||||
Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch
|
||||
# Related to CVE-2024-21886
|
||||
Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch
|
||||
# Fix compilation error on i686
|
||||
Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
|
||||
# Fix copy and paste error in CVE-2024-0229
|
||||
Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
|
||||
# CVE-2024-31080
|
||||
Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
|
||||
# CVE-2024-31081
|
||||
Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
|
||||
# CVE-2024-31082
|
||||
Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
|
||||
# CVE-2024-31083
|
||||
Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
|
||||
Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||
# CVE-2024-9632
|
||||
Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
@ -332,7 +317,6 @@ License: MIT and GPLv2
|
||||
Requires: xorg-x11-server-common >= %{version}-%{release}
|
||||
# required for xvfb-run
|
||||
Requires: xorg-x11-xauth
|
||||
Requires: util-linux
|
||||
Provides: Xvfb
|
||||
|
||||
%description Xvfb
|
||||
@ -618,19 +602,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 29 2024 José Expósito <jexposit@redhat.com> - 1.20.11-25
|
||||
- CVE fix for CVE-2024-9632
|
||||
|
||||
* Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24
|
||||
- Fix regression caused by the fix for CVE-2024-31083
|
||||
|
||||
* Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23
|
||||
- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and
|
||||
CVE-2024-31083
|
||||
- Add util-linux as a dependency of Xvfb
|
||||
- Fix compilation error on i686
|
||||
|
||||
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-22
|
||||
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.4-24
|
||||
- Fix use after free related to CVE-2024-21886
|
||||
|
||||
* Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-21
|
||||
|
Loading…
Reference in New Issue
Block a user