fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-26 17:00:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

composite: Handle failure to redirect in compRedirectWindow()

Browse source 
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.

In that case, compRedirectWindow() will return a BadAlloc error.

However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.

That causes a use of uninitialized pointer later.

The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.

CVE-2025-26599, ZDI-CAN-25851

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c1ff84bef2)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
This commit is contained in:
Olivier Fourdan 2024-12-17 15:19:45 +01:00
parent cc15c9fa40
commit 40efa6359c
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
composite/compalloc.c
View file

@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
WindowPtr pLayerWin;
Bool anyMarked = FALSE;
int status = Success;
if (pWin == cs->pOverlayWin) {
return Success;
@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
if (!compCheckRedirect(pWin)) {
FreeResource(ccw->id, RT_NONE);
return BadAlloc;
status = BadAlloc;
}
if (anyMarked)
compHandleMarkedWindows(pWin, pLayerWin);
return Success;
return status;
}
void