fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 06:28:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

dix/colormap: fix out-of-bounds read in FindColorInRootCmap

Browse source 
The for loop here always iterates size times but the client controls the
starting offset. When the starting pixel is non-zero (e.g., pixel=10 in
a size=256 colormap), the loop reads from pentFirst[10] through
pentFirst[265], reading 10 entries past the end of the array.

Fix this by wrapping around once we reach size, same as FindColor()
already does.

Assisted-by: Claude:claude-claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2215>
This commit is contained in:
Peter Hutterer 2026-04-17 10:13:51 +10:00 committed by Marge Bot
parent 93d1441487
commit b4f2807a40
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
dix/colormap.c
View file

@ -1295,7 +1295,7 @@ FindColorInRootCmap(ColormapPtr pmap, EntryPtr pentFirst, int size,
if ((pixel = *pPixel) >= size)
pixel = 0;
for (pent = pentFirst + pixel, count = size; --count >= 0; pent++, pixel++) {
for (pent = pentFirst + pixel, count = size; --count >= 0;) {
if (pent->refcnt > 0 && (*comp) (pent, prgb)) {
switch (channel) {
case REDMAP:
@ -1312,6 +1312,13 @@ FindColorInRootCmap(ColormapPtr pmap, EntryPtr pentFirst, int size,
}
*pPixel = pixel;
}
pixel++;
if (pixel >= size) {
pent = pentFirst;
pixel = 0;
}
else
pent++;
}
}