sync: Do not fail SyncAddTriggerToSyncObject()

We do not want to return a failure at the very last step in SyncInitTrigger() after having all changes applied. SyncAddTriggerToSyncObject() must not fail on memory allocation, if the allocation of the SyncTriggerList fails, trigger a FatalError() instead. Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 8cbc90c881) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
2025-12-31 12:30:08 +01:00 · 2025-01-20 17:06:07 +01:00 · 2025-01-20 17:06:07 +01:00 · 043a4e959b
commit 043a4e959b
parent 330b406821
1 changed files with 3 additions and 4 deletions
--- a/Xext/sync.c
+++ b/Xext/sync.c
@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
            return Success;
    }

-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
-        return BadAlloc;
+    /* Failure is not an option, it's succeed or burst! */
+    pCur = XNFalloc(sizeof(SyncTriggerList));

    pCur->pTrigger = pTrigger;
    pCur->next = pTrigger->pSync->pTriglist;
@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
     *  a new counter on a trigger
     */
    if (newSyncObject) {
-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
-            return rc;
+        SyncAddTriggerToSyncObject(pTrigger);
    }
    else if (pCounter && IsSystemCounter(pCounter)) {
        SyncComputeBracketValues(pCounter);