mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 15:10:02 +01:00
564ccf2ce9
PointerWindows[] keeps a reference to the last window our sprite entered - changes are usually handled by CheckMotion(). If we switch between screens via XWarpPointer our dev->spriteInfo->sprite->win is set to the new screen's root window. If there's another window at the cursor location CheckMotion() will trigger the right enter/leave events later. If there is not, it skips that process and we never trigger LeaveWindow() - PointerWindows[] for the device still refers to the previous window. If that window is destroyed we have a dangling reference that will eventually cause a use-after-free bug when checking the window hierarchy later. To trigger this, we require: - two protocol screens - XWarpPointer to the other screen's root window - XDestroyWindow before entering any other window This is a niche bug so we hack around it by making sure we reset the PointerWindows[] entry so we cannot have a dangling pointer. This doesn't handle Enter/Leave events correctly but the previous code didn't either. CVE-2023-5380, ZDI-CAN-21608 This vulnerability was discovered by: Sri working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Adam Jackson <ajax@redhat.com>
67 lines
2.6 KiB
C
67 lines
2.6 KiB
C
/*
|
|
* Copyright © 2008 Red Hat, Inc.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the next
|
|
* paragraph) shall be included in all copies or substantial portions of the
|
|
* Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
* DEALINGS IN THE SOFTWARE.
|
|
*
|
|
* Authors: Peter Hutterer
|
|
*
|
|
*/
|
|
|
|
#ifdef HAVE_DIX_CONFIG_H
|
|
#include <dix-config.h>
|
|
#endif
|
|
|
|
#ifndef ENTERLEAVE_H
|
|
#define ENTERLEAVE_H
|
|
|
|
#include <dix.h> /* DoFocusEvents() */
|
|
|
|
extern void DoEnterLeaveEvents(DeviceIntPtr pDev,
|
|
int sourceid,
|
|
WindowPtr fromWin, WindowPtr toWin, int mode);
|
|
|
|
extern void EnterLeaveEvent(DeviceIntPtr mouse,
|
|
int type,
|
|
int mode, int detail, WindowPtr pWin, Window child);
|
|
|
|
extern void CoreEnterLeaveEvent(DeviceIntPtr mouse,
|
|
int type,
|
|
int mode,
|
|
int detail, WindowPtr pWin, Window child);
|
|
extern void DeviceEnterLeaveEvent(DeviceIntPtr mouse,
|
|
int sourceid,
|
|
int type,
|
|
int mode,
|
|
int detail, WindowPtr pWin, Window child);
|
|
extern void DeviceFocusEvent(DeviceIntPtr dev,
|
|
int type,
|
|
int mode,
|
|
int detail ,
|
|
WindowPtr pWin);
|
|
|
|
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
|
|
|
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
|
int type, int mode, int detail, WindowPtr pWin);
|
|
|
|
extern void SetFocusIn(DeviceIntPtr kbd, WindowPtr win);
|
|
|
|
extern void SetFocusOut(DeviceIntPtr dev);
|
|
#endif /* _ENTERLEAVE_H_ */
|