From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 13 Jan 2025 16:09:43 +0100
Subject: [PATCH xserver 08/13] composite: initialize border clip even when
 pixmap alloc fails

If it fails to allocate the pixmap, the function compAllocPixmap() would
return early and leave the borderClip region uninitialized, which may
lead to the use of uninitialized value as reported by valgrind:

 Conditional jump or move depends on uninitialised value(s)
    at 0x4F9B33: compClipNotify (compwindow.c:317)
    by 0x484FC9: miComputeClips (mivaltree.c:476)
    by 0x48559A: miValidateTree (mivaltree.c:679)
    by 0x4F0685: MapWindow (window.c:2693)
    by 0x4A344A: ProcMapWindow (dispatch.c:922)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)
  Uninitialised value was created by a heap allocation
    at 0x4841866: malloc (vg_replace_malloc.c:446)
    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
    by 0x4EBB89: CreateWindow (window.c:925)
    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)

 Conditional jump or move depends on uninitialised value(s)
    at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
    by 0x4F9255: RegionTranslate (regionstr.h:312)
    by 0x4F9B7E: compClipNotify (compwindow.c:319)
    by 0x484FC9: miComputeClips (mivaltree.c:476)
    by 0x48559A: miValidateTree (mivaltree.c:679)
    by 0x4F0685: MapWindow (window.c:2693)
    by 0x4A344A: ProcMapWindow (dispatch.c:922)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)
  Uninitialised value was created by a heap allocation
    at 0x4841866: malloc (vg_replace_malloc.c:446)
    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
    by 0x4EBB89: CreateWindow (window.c:925)
    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)

 Conditional jump or move depends on uninitialised value(s)
    at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
    by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
    by 0x4F9255: RegionTranslate (regionstr.h:312)
    by 0x4F9B7E: compClipNotify (compwindow.c:319)
    by 0x484FC9: miComputeClips (mivaltree.c:476)
    by 0x48559A: miValidateTree (mivaltree.c:679)
    by 0x4F0685: MapWindow (window.c:2693)
    by 0x4A344A: ProcMapWindow (dispatch.c:922)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)
  Uninitialised value was created by a heap allocation
    at 0x4841866: malloc (vg_replace_malloc.c:446)
    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
    by 0x4EBB89: CreateWindow (window.c:925)
    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
    by 0x4A25B5: Dispatch (dispatch.c:560)
    by 0x4B082A: dix_main (main.c:282)
    by 0x429233: main (stubmain.c:34)

Fix compAllocPixmap() to initialize the border clip even if the creation
of the backing pixmap has failed, to avoid depending later on
uninitialized border clip values.

Related to CVE-2025-26599, ZDI-CAN-25851

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
 composite/compalloc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/composite/compalloc.c b/composite/compalloc.c
index 55a1b725a..d1c205ca0 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin)
     int h = pWin->drawable.height + (bw << 1);
     PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
     CompWindowPtr cw = GetCompWindow(pWin);
+    Bool status;
 
-    if (!pPixmap)
-        return FALSE;
+    if (!pPixmap) {
+        status = FALSE;
+        goto out;
+    }
     if (cw->update == CompositeRedirectAutomatic)
         pWin->redirectDraw = RedirectDrawAutomatic;
     else
@@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin)
         DamageRegister(&pWin->drawable, cw->damage);
         cw->damageRegistered = TRUE;
     }
+    status = TRUE;
 
+out:
     /* Make sure our borderClip is up to date */
     RegionUninit(&cw->borderClip);
     RegionCopy(&cw->borderClip, &pWin->borderClip);
     cw->borderClipX = pWin->drawable.x;
     cw->borderClipY = pWin->drawable.y;
 
-    return TRUE;
+    return status;
 }
 
 void
-- 
2.48.1