fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-05-09 07:18:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Xext/xres: fix undefined behavior in ConstructClientIdValue

Browse source 
The CARD32 *value pointer was computed as (ptr + sizeof(rep))
BEFORE the NULL check for ptr. If AddFragment returns NULL, this
performs pointer arithmetic on a null pointer, which is undefined
behavior per C11 section 6.5.6 paragraph 8. With aggressive compiler
optimizations (e.g., GCC -O2 with LTO), the compiler could reason
that since ptr was used in arithmetic, it must be non-NULL, and
optimize away the NULL check entirely. This would then cause a
write to an invalid address on OOM.

Co-Authored-by: Claude Code <noreply@anthropic.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2181>
This commit is contained in:
Peter Hutterer 2026-04-17 12:03:59 +10:00 committed by Marge Bot
parent d2d4fb35e7
commit 598994a856
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Xext/xres.c
View file

@ -490,12 +490,14 @@ ConstructClientIdValue(ClientPtr sendClient, ClientPtr client, CARD32 mask,
if (pid != -1) {
void *ptr = AddFragment(&ctx->response,
sizeof(rep) + sizeof(CARD32));
CARD32 *value = (void*) ((char*) ptr + sizeof(rep));
CARD32 *value;
if (!ptr) {
return FALSE;
}
value = (void*) ((char*) ptr + sizeof(rep));
rep.spec.mask = X_XResLocalClientPIDMask;
rep.length = 4;