fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 04:08:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/dix
History
Peter Hutterer 93596a0b4d dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 
XLFDMAXFONTNAMELEN was 256 bytes, but libXfont2 defines MAXFONTNAMELEN
as 1024 and allows font names and alias targets up to that length in
fonts.alias files.

doListFontsAndAliases copies the resolved alias target into a
stack-allocated tmp_pattern[XLFDMAXFONTNAMELEN] and then into
c->current.pattern[XLFDMAXFONTNAMELEN] (defined in LFWIstateRec).
doListFontsWithInfo has the same pattern, copying the resolved name into
c->current.pattern[]. With the old 256-byte limit, a fonts.alias entry
with a target name between 257 and 1023 bytes would overflow both
buffers.

An attacker can exploit this by:
  1. Creating a font directory with a fonts.alias containing an alias
     whose target name exceeds 256 bytes
  2. Using SetFontPath to add the malicious directory
  3. Calling ListFonts with the alias name to trigger alias resolution
  4. The oversized resolved name overflows the 256-byte stack buffer

Increase XLFDMAXFONTNAMELEN from 256 to 1024 to match libXfont2's
MAXFONTNAMELEN, ensuring the server can handle any name the font library
produces.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30136

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bb5158f962)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2230>
2026-06-02 09:53:45 +10:00
..
.gitignore Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
atom.c atom: make FreeAtom static 2015-07-08 16:41:29 -04:00
buildatoms XFree86 4.3.0.1 2003-11-14 16:49:22 +00:00
BuiltInAtoms R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
callback_priv.h dix: unexport callback manager init / teardown functions 2024-03-12 15:18:17 +00:00
colormap.c dix: FindBestPixel: fix implicit fallthrough warning 2024-09-24 10:51:08 +02:00
cursor.c dix: drop now obsolete cursorScreenDevPriv 2024-03-12 15:24:35 +00:00
devices.c dix: Dequeue pending events on frozen device on removal 2025-02-25 19:38:11 +01:00
dispatch.c os: Do not overflow the integer size with BigRequest 2025-06-17 15:07:43 +02:00
dispatch.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
dix_priv.h dix: unexport CloseDownClient() 2024-03-13 00:47:36 +00:00
dixfonts.c dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 2026-06-02 09:53:45 +10:00
dixutils.c dix: unexport callback manager init / teardown functions 2024-03-12 15:18:17 +00:00
enterleave.c dix: handle allocation failure in DeviceFocusEvent() 2025-10-21 08:57:52 +02:00
enterleave.h mi: reset the PointerWindows reference on screen switch 2023-10-25 00:37:47 +00:00
eventconvert.c dix: limit checks to MAX_VALUATORS when generating Xi events 2025-02-04 09:18:51 +01:00
eventconvert.h dix: unexport eventconvert.h functions 2024-03-11 12:26:44 +01:00
events.c dix: Fix builds with meson -Dxace=false -Dwerror=true 2026-04-09 08:59:08 +00:00
extension.c Move sizeof to second argument in calloc calls 2024-08-06 10:00:59 +02:00
gc.c dix: set errorValue correctly when XID lookup fails in ChangeGCXIDs() 2026-04-09 08:59:09 +00:00
gestures.c dix: avoid null dereference if wOtherInputMasks() returns NULL 2025-10-21 08:57:52 +02:00
getevents.c Revert "include: move BUG_*() macros to separate header" 2024-02-23 23:11:01 +00:00
globals.c dix: unexport global variables 2024-03-09 17:23:43 +00:00
glyphcurs.c Let calloc handle multiplication 2015-04-21 16:57:07 -07:00
grabs.c dix: unexport CloseDownClient() 2024-03-13 00:47:36 +00:00
initatoms.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
inpututils.c Revert "include: move BUG_*() macros to separate header" 2024-02-23 23:11:01 +00:00
main.c dix: keep a ref to the rootCursor 2025-02-25 19:38:11 +01:00
meson.build dix: Implement internal gesture state handling 2021-05-30 13:26:39 +03:00
pixmap.c dix: Remove pScratchPixmap and other associated ABI changes 2022-12-30 01:32:25 +00:00
privates.c Move sizeof to second argument in calloc calls 2024-08-06 10:00:59 +02:00
property.c dix: avoid memory leak in ProcListProperties() 2025-10-21 08:57:52 +02:00
protocol.txt drop remains of DMX 2024-03-05 16:57:52 +01:00
ptrveloc.c dix: InitPredictableAccelerationScheme: avoid memory leak on failure 2024-09-24 10:50:50 +02:00
ptrveloc_priv.h dix: unexport InitTrackers() 2024-03-09 18:01:52 +00:00
region.c replace _X_INLINE by inline in internal static functions 2024-02-05 19:26:14 +00:00
registry.c include: drop obsolete registry.h 2024-03-03 23:20:06 +00:00
registry_priv.h dix: unexport XREGISTRY_UNKNOWN define 2024-03-03 23:20:06 +00:00
resource.c dix: HashResourceID: use unsigned integers for bit shifting 2024-09-24 10:51:00 +02:00
screenint_priv.h dix: unexport AttachOffloadGPU() and DetachOffloadGPU() 2024-03-03 23:24:29 +00:00
selection.c replace _X_INLINE by inline in internal static functions 2024-02-05 19:26:14 +00:00
stubmain.c Allow DDX to provide a main() 2013-07-23 23:56:58 +01:00
swaprep.c dix: assert that size of buffers to swap is a multiple of the swap size 2025-10-21 08:57:52 +02:00
swapreq.c dix: Disallow GenericEvent in SendEvent request. 2017-06-19 11:58:50 +10:00
tables.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
touch.c dix: avoid null dereference if wOtherInputMasks() returns NULL 2025-10-21 08:57:52 +02:00
window.c dix: handle allocation failure in ChangeWindowDeviceCursor() 2025-10-21 08:57:52 +02:00