From 6683c1ea3068d5a36119b57cb4ef40bad1663092 Mon Sep 17 00:00:00 2001 From: Mikhail Dmitrichenko Date: Wed, 17 Dec 2025 11:15:27 +0300 Subject: [PATCH] dix: avoid null ptr deref at doListFontsAndAliases In the `doListFontsAndAliases` function in dixfonts.c, when a font alias is encountered (`err == FontNameAlias`) as a result of `list_next_font_or_alias` call, the code allocates memory for `resolved` variable (`resolvedlen + 1` bytes) for storing target font name. In this case, if the `malloc(resolvedlen + 1)` call fails, `resolved` remains NULL. Later, when check (`else if (err == FontNameAlias)`) is TRUE, the code uses `memcpy` to copy nullable `resolved` into `tmp_pattern` without checking if `resolved` is NULL, so there is a potential null ptr dereference. This commit replaces `malloc` with `XNFalloc` for allocating memory for `resolved`. `XNFalloc` will internally check result of `malloc` and stop program execution if allocation was failed, preventing potential NULL dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Mikhail Dmitrichenko --- dix/dixfonts.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dix/dixfonts.c b/dix/dixfonts.c index 9f67320a0..00ab157a7 100644 --- a/dix/dixfonts.c +++ b/dix/dixfonts.c @@ -644,9 +644,8 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c) } if (err == FontNameAlias) { free(resolved); - resolved = malloc(resolvedlen + 1); - if (resolved) - memcpy(resolved, tmpname, resolvedlen + 1); + resolved = XNFalloc(resolvedlen + 1); + memcpy(resolved, tmpname, resolvedlen + 1); } }