fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 02:58:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/dix
History
Peter Hutterer a569eb4f36 dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 
XLFDMAXFONTNAMELEN was 256 bytes, but libXfont2 defines MAXFONTNAMELEN
as 1024 and allows font names and alias targets up to that length in
fonts.alias files.

doListFontsAndAliases copies the resolved alias target into a
stack-allocated tmp_pattern[XLFDMAXFONTNAMELEN] and then into
c->current.pattern[XLFDMAXFONTNAMELEN] (defined in LFWIstateRec).
doListFontsWithInfo has the same pattern, copying the resolved name into
c->current.pattern[]. With the old 256-byte limit, a fonts.alias entry
with a target name between 257 and 1023 bytes would overflow both
buffers.

An attacker can exploit this by:
  1. Creating a font directory with a fonts.alias containing an alias
     whose target name exceeds 256 bytes
  2. Using SetFontPath to add the malicious directory
  3. Calling ListFonts with the alias name to trigger alias resolution
  4. The oversized resolved name overflows the 256-byte stack buffer

Increase XLFDMAXFONTNAMELEN from 256 to 1024 to match libXfont2's
MAXFONTNAMELEN, ensuring the server can handle any name the font library
produces.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30136

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bb5158f962)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
2026-06-02 09:47:45 +10:00
..
.gitignore Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
atom.c atom: make FreeAtom static 2015-07-08 16:41:29 -04:00
buildatoms XFree86 4.3.0.1 2003-11-14 16:49:22 +00:00
BuiltInAtoms R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
colormap.c dix: FindBestPixel: fix implicit fallthrough warning 2024-10-11 00:18:05 +00:00
cursor.c dix: Remove -fn and -fc options to set default text/cursor fonts 2019-10-30 16:17:04 +00:00
devices.c dix: Hold input lock for AttachDevice() 2025-03-29 09:14:18 -07:00
dispatch.c os: Do not overflow the integer size with BigRequest 2025-06-17 15:05:52 +02:00
dispatch.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
dixfonts.c dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 2026-06-02 09:47:45 +10:00
dixutils.c os: Don't crash in AttendClient if the client is gone 2019-11-19 10:15:05 -08:00
enterleave.c dix: handle allocation failure in DeviceFocusEvent() 2025-10-21 09:00:47 +02:00
enterleave.h mi: reset the PointerWindows reference on screen switch 2023-10-25 10:51:18 +10:00
eventconvert.c dix: limit checks to MAX_VALUATORS when generating Xi events 2025-02-05 15:02:23 +01:00
events.c dix: Fix builds with meson -Dxace=false -Dwerror=true 2026-03-28 16:40:00 +00:00
extension.c dix: Allow an extension to disable itself 2018-04-24 14:36:04 -04:00
gc.c dix: set errorValue correctly when XID lookup fails in ChangeGCXIDs() 2026-03-28 16:39:59 +00:00
gestures.c dix: avoid null dereference if wOtherInputMasks() returns NULL 2025-10-21 09:00:47 +02:00
getevents.c touchevents: set the screen pointer after checking the device is enabled 2021-09-07 16:58:10 +02:00
globals.c include: Remove now-empty site.h 2019-10-30 16:17:04 +00:00
glyphcurs.c Let calloc handle multiplication 2015-04-21 16:57:07 -07:00
grabs.c xi: Implement grab support for new gesture event types 2021-05-30 13:26:32 +03:00
initatoms.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
inpututils.c Implement gesture processing logic 2021-05-30 13:26:42 +03:00
main.c dix: keep a ref to the rootCursor 2025-02-25 19:36:29 +01:00
Makefile.am dix: Implement internal gesture state handling 2021-05-30 13:26:39 +03:00
meson.build dix: Implement internal gesture state handling 2021-05-30 13:26:39 +03:00
pixmap.c fix for ZDI-11426 2020-07-31 14:51:23 +00:00
privates.c dix/privates.c: Avoid undefined behaviour after realloc() 2021-10-08 21:38:01 +03:00
property.c dix: avoid memory leak in ProcListProperties() 2025-10-21 09:00:47 +02:00
protocol.txt protocol.txt: add GLX req. 35 - SetClientInfo2ARB 2018-02-27 13:08:35 -05:00
ptrveloc.c dix: InitPredictableAccelerationScheme: avoid memory leak on failure 2024-10-11 00:18:05 +00:00
region.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
registry.c Build required portions of registry.c automatically [v2] 2014-09-18 15:29:29 -07:00
resource.c dix: HashResourceID: use unsigned integers for bit shifting 2024-10-11 00:18:05 +00:00
selection.c dix: Push UpdateCurrentTimeIf down out of the main loop 2016-05-04 10:58:01 -04:00
stubmain.c Allow DDX to provide a main() 2013-07-23 23:56:58 +01:00
swaprep.c dix: assert that size of buffers to swap is a multiple of the swap size 2025-10-21 09:00:47 +02:00
swapreq.c dix: Disallow GenericEvent in SendEvent request. 2017-06-19 11:58:50 +10:00
tables.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
touch.c dix: avoid null dereference if wOtherInputMasks() returns NULL 2025-10-21 09:00:47 +02:00
window.c dix: handle allocation failure in ChangeWindowDeviceCursor() 2025-10-21 09:00:47 +02:00