mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-31 11:20:09 +01:00
1173156404
Previously, AllocateGlyph would return a new glyph with refcount=0 and a
re-used glyph would end up not changing the refcount at all. The
resulting glyph_new array would thus have multiple entries pointing to
the same non-refcounted glyphs.
AddGlyph may free a glyph, resulting in a UAF when the same glyph
pointer is then later used.
Fix this by returning a refcount of 1 for a new glyph and always
incrementing the refcount for a re-used glyph, followed by dropping that
refcount back down again when we're done with it.
CVE-2024-31083, ZDI-CAN-22880
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| animcur.c | ||
| filter.c | ||
| glyph.c | ||
| glyphstr.h | ||
| Makefile.am | ||
| matrix.c | ||
| meson.build | ||
| miindex.c | ||
| mipict.c | ||
| mipict.h | ||
| mirect.c | ||
| mitrap.c | ||
| mitri.c | ||
| picture.c | ||
| picture.h | ||
| picturestr.h | ||
| render.c | ||