mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-25 06:00:06 +01:00
541ab2ecd4
The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.
Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
[N, N, N, ?, ?, P, P, P ] P, P
^OOB write
The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.
CVE-2023-5367, ZDI-CAN-22153
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||
|---|---|---|
| .. | ||
| meson.build | ||
| randr.c | ||
| randrstr.h | ||
| rrcrtc.c | ||
| rrdispatch.c | ||
| rrinfo.c | ||
| rrlease.c | ||
| rrmode.c | ||
| rrmonitor.c | ||
| rroutput.c | ||
| rrpointer.c | ||
| rrproperty.c | ||
| rrprovider.c | ||
| rrproviderproperty.c | ||
| rrscreen.c | ||
| rrsdispatch.c | ||
| rrtransform.c | ||
| rrtransform.h | ||
| rrxinerama.c | ||