If there's nothing to send, skip over a bunch of code to make a list
that won't be used, and hopefully make the code path clearer to both
humans and static analyzers, who raise errors as seen in #1817 of
dereferencing NULL pointers when count == 0.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:233:13: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL ‘current_clients’
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:228:23: acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/vidmode.c:96:5: warning[-Wanalyzer-null-argument]: use of NULL ‘VidModeCreateMode()’ where non-null expected
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported incorrectly in #1817 as:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2843:12: danger: ‘priv’ leaks here; was allocated at [(30)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/29)
but the "leak" is really saving the pointer in an uninitalized pointer in
a structure that was already freed when the malloc of the SysCounterInfo
struct failed in SyncCreateSystemCounter(), because it returned the address
of the freed struct instead of NULL to indicate failure.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Building with -Dxace=false was generating many failures of the form:
../dix/cursor.c: In function ‘AllocARGBCursor’:
../dix/cursor.c:281:10: error: implicit declaration of function
‘XaceHookResourceAccess’; did you mean ‘XaceHookPropertyAccess’?
[-Werror=implicit-function-declaration]
281 | rc = XaceHookResourceAccess(client, cid, X11_RESTYPE_CURSOR,
| ^~~~~~~~~~~~~~~~~~~~~~
| XaceHookPropertyAccess
Fixes: ae3c57333 ("xace: typesafe hook function for XACE_RESOURCE_ACCESS")
Fixes: 9524ffee8 ("xace: typesafe hook function for XACE_DEVICE_ACCESS")
Fixes: 67e468c8b ("xace: typesafe hook function for XACE_SEND_ACCESS")
Fixes: 3dfe00d5e ("xace: typesafe hook function for XACE_RECEIVE_ACCESS")
Fixes: 922b7685d ("xace: typesafe hook function for XACE_CLIENT_ACCESS")
Fixes: 0f6bb23bc ("xace: typesafe hook function for XACE_EXT_ACCESS")
Fixes: 47d6c3ad7 ("xace: typesafe hook function for XACE_SERVER_ACCESS")
Fixes: 51d8bcfc0 ("xace: typesafe hook function for XACE_SCREEN_ACCESS")
Fixes: 305f2d59d ("xace: typesafe hook function for XACE_SCREENSAVER_ACCESS")
Fixes: 591d95c79 ("xace: typesafe hook function for XACE_AUTH_AVAIL")
Fixes: facdaae4e ("xace: typesafe hook function for XACE_KEY_AVAIL")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2056>
This reverts commit a57db845bb.
It breaks when building with -Dxinerama=false:
../Xext/shape.c: In function ‘ProcShapeRectangles’:
../Xext/shape.c:318:12: error: too few arguments to function
‘ShapeRectangles’; expected 2, have 1
318 | return ShapeRectangles(client);
| ^~~~~~~~~~~~~~~
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2055>
../Xext/xf86bigfont.c: At top level:
../Xext/xf86bigfont.c:683:1: error: no previous prototype for
‘XFree86BigfontExtensionInit’ [-Werror=missing-prototypes]
683 | XFree86BigfontExtensionInit(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 33350ef8f ("include: move private definitions out of extinit.h")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2053>
Build breaks with gcc 14 & later when xf86bigfont is enabled:
../Xext/xf86bigfont.c: In function ‘XFree86BigfontExtensionInit’:
../Xext/xf86bigfont.c:709:28: error: implicit declaration of function
‘xfont2_allocate_font_private_index’;
did you mean ‘AllocateFontPrivateIndex’? [-Wimplicit-function-declaration]
709 | FontShmdescIndex = xfont2_allocate_font_private_index();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| AllocateFontPrivateIndex
Fixes: 05a793f5b ("dix: Switch to the libXfont2 API (v2)")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2053>
This commit doesn't compile, but wasn't noticed since xf86bigfont
isn't enabled by default, so wasn't being built in our CI builds.
(The ".type = X_Reply;" line needs to end with a , not a ;)
This reverts commit b5a3ac9527.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2053>
The NVIDIA driver still supports GLX across physical screens in Xinerama
configurations, and uses the definitions in these headers to do that.
This reverts commit 3f469acb96.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
There's really no practical use for disabling GEEext, would just
cause the Xserver misbehaviour (eg. missing byte swapping)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1812>
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
