mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-02-16 05:00:28 +01:00
6fa76cbb67
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.
In that case, compRedirectWindow() will return a BadAlloc error.
However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.
That causes a use of uninitialized pointer later.
The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.
CVE-2025-26599, ZDI-CAN-25851
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| compalloc.c | ||
| compext.c | ||
| compinit.c | ||
| compint.h | ||
| compositeext.h | ||
| compoverlay.c | ||
| compwindow.c | ||
| meson.build | ||