XDM-AUTHORIZATION-2 (IPv6 capable version of -1) was never merged.
SUN-DES-1 was removed by commit 71b207a2e in 2024
MIT-KERBEROS-5 was removed by commit dfbe32b5b in 2007
Fixes: 71b207a2e ("os: drop SUN-DES-1 authentication")
Fixes: dfbe32b5b ("Remove the old Kerberos 5 authentication code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1913>
(cherry picked from commit 845c4ae518)
Allows nroff to insert a line break between iterm in the font path
instead of displaying it as a single, very overlength line.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1891>
(cherry picked from commit b9c31cc9bc)
This fixes a crash when we try to send focus events and dereference
FollowKeyboardWin (0x3) as WindowPtr.
A device set to XSetDeviceFocus(FollowKeyboard) is supposed to follow
the focus of the corresponding master device. During ActivateKeyboard
a slave device is detached from the master for the duration for the grab
so we don't actually have a master to follow - leaving our oldWin set to
the FollowKeyboardWin constant. This later crashes when we try to
dereference it.
Fix this by getting the current master (if any), or the saved master (if
temporarily detached due to a grab). And if failing that, use the VCK
as fallback device - that is technically wrong but it's such a niche use
case that it shouldn't matter.
Reproducer:
window = XCreateSimpleWindow(...)
deviceid = any device that is IsXExtensionKeyboard device
XSetDeviceFocus(deviceid, FollowKeyboard, ...)
XGrabDevice(deviceid, window, ...)
Fixes: f01ee198ff ("dix: don't use inputInfo.keyboard to get the focus window in ActivateKbdGrab")
Found-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1870>
(cherry picked from commit cab9017485)
The WriteReplyToClient() macro is used for cases where byte swapping
is implemented in a separate callback function (set in a global vector
table). Since Xwl extension doesn't have such a callback, but does the
byte swapping directly in it's request handlers, there's no need to
call the WriteReplyToClient() macro - we can use WriteToClient() instead.
Fixes: 2700bc6045 - xwayland: add support for the XWAYLAND extension
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1878>
(cherry picked from commit c445167da6)
All jobs utilizing kvm (eg. FreeBSD) need the "kvm" runner tag set.
It used to work w/o it, since all runners did have kvm, but in the
new CI there are non-kvm runners, so we really need to set the tag.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1872>
(cherry picked from commit 52c2cb7439)
Use the correct macro for the font change of a single argument or
split the argument into two.
43:.BI Keyboard
46:.BI Pointer
52:.BI PointerAbsolute
58:.BI PointerAbsoluteProximity
62:.BI Touch
103:.BI xf86ITEventWaitForSync
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
19:server as input events. It supports the full set of the xf86 driver APIs
20:exposed by Xorg. The primary use cases of this input driver are various
29:is created after the driver is initialized. The paths to the socket is passed
37:Sets the path where the driver will create a named socket. Any existing file
47:Initializes a relative-mode pointer device. It will have four valuators -
53:Initializes an absolute-mode pointer device. It will have four valuators -
87:specifies the protocol version supported by it. If this version is lower than
91:to the driver. Each event is an instance of one of the
93:structs. The length field defines the full length of the struct in bytes and
96:The responses from the server follow the same structure. Each response is an
99:structs. The length field defines the full length of the struct in bytes and
104:event. After sending such event, the client must read of a
106:events. The completion of the read operation indicates that Xorg has fully
-.-.
The name of a man page is typeset in bold and the section in roman
(see man-pages(7)).
24:Please refer to xorg.conf(5) for general configuration
112:Xorg(1), xorg.conf(5), Xserver(1), X(7)
-.-
Additionally:
"read of a xf86... event" -> "read an xf86... event"
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095449
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit bcf743f356)
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
Mark a final abbreviation point as such by suffixing it with "\&".
25:Disables acceleration of uploading pixmap data to the framebuffer. Default: No.
-.-.
Split a punctuation mark from a single argument for a two-font macro
40:.BR xorg.conf(5).
-.-.
Section headings (.SH and .SS) do not need quoting.
38:.SH "SEE ALSO"
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z ":
an.tmac:<stdin>:40: misuse, warning: .BR is for at least 2 arguments, got 1
Use macro '.B' for one argument or split argument.
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095446
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 49378eb510)
Output from "mandoc -T lint Xserver.1": (possibly shortened list)
mandoc: Xserver.1:117:4: WARNING: undefined escape, printing literally: \+
mandoc: Xserver.1:118:81: STYLE: input text line longer than 80 bytes: Allow connections fr...
mandoc: Xserver.1:122:84: STYLE: input text line longer than 80 bytes: Prohibit connections...
Add a comma (or \&) after "e.g." and "i.e.", or use English words
(man-pages(7)).
81:sets pointer acceleration (i.e. the ratio of how much is reported to how much
273:sets pointer acceleration threshold in pixels (i.e. after how many pixels
468:contain either an Internet hostname (e.g. expo.lcs.mit.edu)
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Xserver.1: line 118 length 81
Allow connections from clients with an endianess different to that of the server.
Xserver.1: line 122 length 84
Prohibit connections from clients with an endianess different to that of the server.
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072500
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 359d12aa0b)
Wrong distance between sentences.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
Split lines longer than 100 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
"[" and "]", showing optional arguments to options, should be typeset in roman.
Output from "test-groff -b -mandoc -dAD=l -rF0 -rHY=0 -t -w w -z -rSTYLECHECK=3":
an.tmac:<stdin>:104: style: .BI expects at least 2 arguments, got 1
troff: backtrace: '/home/bg/git/groff/build/s-tmac/an.tmac':524: macro 'B'
troff: backtrace: file '<stdin>':167
troff:<stdin>:167: warning: cannot select font 'F'
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041094
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 056b447a33)
xtrans 1.6 will use struct sockaddr_storage if HAVE_STRUCT_SOCKADDR_STORAGE
is defined, even if IPv6 is disabled, unlike previous versions which tied
it to the IPv6 #define.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1864>
(cherry picked from commit 4b5d410591)
Grabbing a disabled (pointer) device will lead to a segfault later
in the myriad of places where we look at the device's spriteInfo - which
will be NULL.
As a workaround, disallow grabbing a disabled device by pretending it's
already grabbed. Since the point of a grab is to receive all events by
that device and disabled devices cannot send events, this should be Good
Enough.
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1856>
(cherry picked from commit 797f63b8be)
Currently each driver build job also builds the server. This is bad use
of resources because server build takes way more resources compared to a
driver build. Reusing already built xserver would resolve the issue.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1806>
(cherry picked from commit 68054d0fe3)
This ensures that the pkg-config files installed to
xserver-tarball/install will have correct paths. This is needed so that
xf86-driver-build-test will be able to reuse this installation of
xserver. It will be passed to that job via artifacts (subsequent
commits)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1806>
(cherry picked from commit f7d2e810ba)
In order to be able to build on Linux w/ platform_noop
(when no recent enough libdrm found), a few more dummy functions
are needed here.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1848>
(cherry picked from commit e2ac461629)
Several pieces of the code, as well as drivers are using %X, which
we don't support, so leading to error messages like this:
[2025-02-27 14:28:44] BUG: 'if (f[f_idx])'
[2025-02-27 14:28:44] BUG: ../xserver/os/log.c:538 in vpnprintf()
[2025-02-27 14:28:44] Unsupported printf directive 'X'
[2025-02-27 14:28:44]
[2025-02-27 14:28:44] Backtrace:
[2025-02-27 14:28:44] unw_get_proc_name failed: no unwind info found [-10]
[2025-02-27 14:28:44] 0: /usr/lib/Xorg (?+0x0) [0x5f4d1261bc47]
[2025-02-27 14:28:44] 1: /usr/lib/Xorg (LogVHdrMessageVerb+0x10f) [0x5f4d1261ca3f]
[2025-02-27 14:28:44] 2: /usr/lib/Xorg (LogHdrMessageVerb+0x85) [0x5f4d1261cae5]
[2025-02-27 14:28:44] 3: /usr/lib/Xorg (xf86VDrvMsgVerb+0x54) [0x5f4d12636604]
[2025-02-27 14:28:44] 4: /usr/lib/Xorg (xf86DrvMsg+0x97) [0x5f4d126367d7]
[2025-02-27 14:28:44] 5: /usr/lib/Xorg (xf86PrintEDID+0x545) [0x5f4d12654315]
[2025-02-27 14:28:44] 6: /usr/lib/Xorg (xf86OutputSetEDID+0x1bd) [0x5f4d12657e0d]
In the longer run, we'll have to decide whether we actually want to
implement the upper-case directive or change all callers to lower-case.
But for now it's better to just accept %X and interpret it as lower-case,
in order to fix those error messages. Whether it's printed as upper or
lower case is more or less an aesthetic matter.
Reported-By: guido iodice <guido.iodice@gmail.com>
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1846>
(cherry picked from commit 628e94b164)
Handles common case of allocating & copying string to temporary buffer
(cherry picked from xorg/lib/libxkbfile@8a91517ca6ea77633476595b0eb5b213357c60e5)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1821>
(cherry picked from commit 42a1f25faf)
Fixes formatting of negative numbers, so they don't show minus sign
after the decimal point.
(cherry picked from xorg/lib/libxkbfile@d2ec504fec2550f4fd046e801b34317ef4a4bab9)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1821>
(cherry picked from commit 7a23010232)
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
function can create a `newActs` array of an unespected size.
Check the value and return if it is invalid.
This error has been found by a static analysis tool. This is the report:
Error: OVERRUN (CWE-119):
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
Checking "xkb->server->size_acts == 0" implies that
"xkb->server->size_acts" is 0 on the true branch.
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
"calloc" allocates 8 bytes dictated by parameters
"(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
and "8UL".
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
Assigning: "nActs" = "1".
libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
true branch.
libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
passing it to a function which accesses it at byte offset 15
using argument "nCopy * 8UL" (which evaluates to 8).
# 828|
# 829| if (nCopy > 0)
# 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
# 831| nCopy * sizeof(XkbAction));
# 832| if (nCopy < nKeyActs)
(cherry picked from xorg/lib/libx11@af1312d2873d2ce49b18708a5029895aed477392)
Signed-off-by: José Expósito <jexposit@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1821>
(cherry picked from commit 6d33834186)
If there was a previous radio_groups array which we failed to realloc
and freed instead, clear the array size in the XkbNamesRec.
Taken from xorg/lib/libx11@258a8ced681dc1bc50396be7439fce23f9807e2a
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1821>
(cherry picked from commit 09c6f09eb7)
Already in place for some functions, let's add it to most others.
The only function missing is miPointerSetPosition() which needs to
return the ScreenPtr and that one is unclear if we don't have a screen -
returning NULL will crash the caller(s) so let's wait for something to
trigger this bug before we try to fix it wrongly.
Related to #1782
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1771>
(cherry picked from commit 68c17477d2)
If a device is disabled, its master device is forcibly reset to NULL but
unlike a floating device it doesn't have a sprite allocated. Calling
miPointerGetPosition for a disabled device thus crashes.
Avoid this by returning 0/0 for any device without a miPointer.
This is a quick fix only, a proper fix for this issue is rather more
involved.
Closes#1782
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1771>
(cherry picked from commit acbdd0ecdd)
The xsync test is relying on the values being changed even in the case
of a BadMatch value.
Typically, it updates the delta but does not update the test type
comparison, so when passing a negative value, it generates a BadMatch.
That's actually not correct, and that will fail with the new fixes that
check the validity of the values prior to apply the changes.
Fix the test by updating the test type as needed.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1835>
(cherry picked from commit 05e54fefaf)
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit c285798984)
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit 8cbc90c881)
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit f52cea2f93)
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit 16a1242d0f)
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.
As a result, replaying the events will cause a use after free.
To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.
CVE-2025-26600, ZDI-CAN-25871
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit 6e0f332ba4)
If it fails to allocate the pixmap, the function compAllocPixmap() would
return early and leave the borderClip region uninitialized, which may
lead to the use of uninitialized value as reported by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x4F9B33: compClipNotify (compwindow.c:317)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Fix compAllocPixmap() to initialize the border clip even if the creation
of the backing pixmap has failed, to avoid depending later on
uninitialized border clip values.
Related to CVE-2025-26599, ZDI-CAN-25851
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit b07192a8be)
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.
In that case, compRedirectWindow() will return a BadAlloc error.
However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.
That causes a use of uninitialized pointer later.
The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.
CVE-2025-26599, ZDI-CAN-25851
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit c1ff84bef2)
The function GetBarrierDevice() would search for the pointer device
based on its device id and return the matching value, or supposedly NULL
if no match was found.
Unfortunately, as written, it would return the last element of the list
if no matching device id was found which can lead to out of bounds
memory access.
Fix the search function to return NULL if not matching device is found,
and adjust the callers to handle the case where the device cannot be
found.
CVE-2025-26598, ZDI-CAN-25740
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit bba9df1a9d)
