fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 06:28:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
read-only mirror of https://gitlab.freedesktop.org/xorg/xserver
18072 commits 91 branches 546 tags 68 MiB
C 96.5%
Roff 1.1%
Objective-C 1%
Meson 0.8%
Python 0.2%
Other 0.2%
Find a file
Peter Hutterer 54c3d9fad0 xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 
CheckKeyTypes computes nMaps = firstType + nTypes from client-controlled
request fields when XkbSetMapResizeTypes is set. This value is used to
index mapWidths[], a stack-allocated CARD8 array of XkbMaxLegalKeyCode + 1
(256) elements. No upper bound is enforced on nMaps.

An attacker can first send SetMap(firstType=0, nTypes=255, ResizeTypes) to
set the server's num_types to 255, then send SetMap(firstType=255,
nTypes=10, ResizeTypes). The firstType > num_types check passes because
255 > 255 is false (the check uses > rather than >=). nMaps is then
computed as 265, and the loop writes mapWidths[255..264], overflowing 9
bytes past the stack buffer into adjacent stack variables (symsPerKey[]).

Fix by rejecting requests where firstType + nTypes would exceed the
mapWidths buffer size (XkbMaxLegalKeyCode + 1).

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30161

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 867b59b33b)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
2026-06-02 09:47:21 +10:00
.gitlab-ci ci: Install libxcvt from git 2021-08-06 11:29:29 +00:00
composite composite: initialize border clip even when pixmap alloc fails 2025-02-25 19:36:29 +01:00
config config: add a quirk for Apple Silicon appledrm 2024-12-02 16:11:51 +00:00
damageext More missing version checks in SProcs 2021-08-08 12:43:01 +00:00
dbe meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
dix dix: Fix builds with meson -Dxace=false -Dwerror=true 2026-03-28 16:40:00 +00:00
doc meson: Implement developer documentation build 2021-08-20 10:26:07 +00:00
dri3 meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
exa exa: rename some badly named variables 2020-07-10 06:17:40 +10:00
fb meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
glamor glamor: avoid double free in glamor_make_pixmap_exportable() 2026-03-28 16:40:00 +00:00
glx glx: reject negative size in FeedbackBuffer and SelectBuffer requests 2026-05-30 10:35:53 -07:00
hw xf86: check return value of XF86_CRTC_CONFIG_PTR in xf86CompatOutput() 2026-03-28 16:40:00 +00:00
include xkb: Make the RT_XKBCLIENT resource private 2025-10-28 14:15:35 +01:00
m4 Add ax_pthread.m4 to m4/ 2016-05-29 19:20:51 -07:00
man Xserver.man: correct list of available authorization protocols 2025-06-12 18:08:25 -07:00
mi mi: guard miPointer functions against NULL dereferences 2025-04-08 09:50:18 +02:00
miext sync: fix deletion of counters and fences 2026-06-02 09:47:17 +10:00
os os: fix sha1 build error with Nettle 4.0 2026-03-28 16:40:00 +00:00
present present: actually return the created notifies 2026-05-30 10:35:53 -07:00
pseudoramiX Unvalidated lengths 2017-10-10 23:33:34 +02:00
randr randr: clear primary screen's primaryOutput when the output is deleted 2026-03-28 16:39:59 +00:00
record record: Check for overflow in RecordSanityCheckRegisterClients() 2025-06-17 15:06:30 +02:00
render render: fix multiple mem leaks on err paths 2026-03-28 16:39:59 +00:00
test tests: Add missing files to Makefile build 2025-10-28 17:00:57 +01:00
Xext sync: restart trigger list iteration in SyncChangeCounter after TriggerFired 2026-06-02 09:47:19 +10:00
xfixes xfixes: Check request length for SetClientDisconnectMode 2025-06-17 15:06:09 +02:00
Xi Xi: add missing gesture grab type checks in ProcXIPassiveUngrabDevice 2026-05-30 10:35:53 -07:00
xkb xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 2026-06-02 09:47:21 +10:00
.appveyor.yml Drop DMX DDX 2021-09-07 09:34:31 +00:00
.dir-locals.el .dir-locals.el: Add missing final newline 2019-10-01 17:05:28 +00:00
.gitignore .gitignore: Add new autotools file 'test-driver' 2014-04-21 13:41:42 -07:00
.gitlab-ci.yml .gitlab-ci: Use meson instead of ninja for running the tests 2025-06-30 11:29:21 +02:00
.travis.yml travis: Add OSX meson build to matrix 2019-05-02 15:42:58 +00:00
autogen.sh autogen: Set a default subject prefix for patches 2016-02-08 17:41:38 -05:00
configure.ac xserver 21.1.22 2026-04-14 15:12:24 +02:00
COPYING COPYING: add author to HPND-sell-MIT-disclaimer-xserver 2026-03-28 16:39:59 +00:00
devbook.am doc: Create a script to filter xmlto output 2015-01-05 14:24:06 -08:00
docbook.am docbook.am: embed css styles inside the HTML HEAD element 2011-09-21 14:07:49 -07:00
Makefile.am Makefile.am: add SECURITY.md to EXTRA_DIST 2025-11-30 17:21:49 +00:00
manpages.am man: Fix automake seddery 2018-05-08 12:15:30 -04:00
meson.build xserver 21.1.22 2026-04-14 15:12:24 +02:00
meson_options.txt meson: fix types for some build options 2026-05-26 17:38:22 -07:00
README.md Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
SECURITY.md Create a SECURITY.md file 2025-11-30 17:21:49 +00:00
xorg-server.m4 xorg-server.m4: just all cflags instead of just sdkdir 2018-09-20 20:12:24 +01:00
xorg-server.pc.in pkgconfig files: Add URL 2025-04-08 10:16:56 +02:00
xserver.ent.in doc: relocate xserver.ent in the package root directory 2011-05-14 11:22:26 -07:00

README.md

X Server

The X server accepts requests from client applications to create windows, which are (normally rectangular) "virtual screens" that the client program can draw into.

Windows are then composed on the actual screen by the X server (or by a separate composite manager) as directed by the window manager, which usually communicates with the user via graphical controls such as buttons and draggable titlebars and borders.

For a comprehensive overview of X Server and X Window System, consult the following article: https://en.wikipedia.org/wiki/X_server

All questions regarding this software should be directed at the Xorg mailing list:

https://lists.freedesktop.org/mailman/listinfo/xorg

The primary development code repository can be found at:

https://gitlab.freedesktop.org/xorg/xserver

For patch submission instructions, see:

https://www.x.org/wiki/Development/Documentation/SubmittingPatches

As with other projects hosted on freedesktop.org, X.Org follows its Code of Conduct, based on the Contributor Covenant. Please conduct yourself in a respectful and civilized manner when using the above mailing lists, bug trackers, etc:

https://www.freedesktop.org/wiki/CodeOfConduct