fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-20 05:50:04 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

dix: avoid null ptr deref at doListFontsWithInfo

Browse source 
In the doListFontsWithInfo function in dixfonts.c, when a font alias is
encountered (err == FontNameAlias), the code saves the current state
and allocates memory for c->savedName.

If the malloc(namelen + 1) call fails, c->savedName remains NULL,
but c->haveSaved is still set to TRUE. Later, when a font is
successfully resolved (err == Successful), the code uses c->savedName
without checking if it is NULL, so there is potential null ptr
dereference. XNFalloc will check result of malloc and stop
program execution if allocation was failed.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1842
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2062>
This commit is contained in:
Mikhail Dmitrichenko 2025-09-17 17:25:40 +03:00 committed by Marge Bot
parent 8d25a89143
commit dd5c2595a4
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dix/dixfonts.c
View file

@ -934,8 +934,7 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c)
c->haveSaved = TRUE; c->haveSaved = TRUE;
c->savedNumFonts = numFonts; c->savedNumFonts = numFonts;
free(c->savedName); free(c->savedName);
c->savedName = malloc(namelen + 1); c->savedName = XNFalloc(namelen + 1);
if (c->savedName)
memcpy(c->savedName, name, namelen + 1); memcpy(c->savedName, name, namelen + 1);
aliascount = 20; aliascount = 20;
} }