fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 02:58:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/include
History
Peter Hutterer a569eb4f36 dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 
XLFDMAXFONTNAMELEN was 256 bytes, but libXfont2 defines MAXFONTNAMELEN
as 1024 and allows font names and alias targets up to that length in
fonts.alias files.

doListFontsAndAliases copies the resolved alias target into a
stack-allocated tmp_pattern[XLFDMAXFONTNAMELEN] and then into
c->current.pattern[XLFDMAXFONTNAMELEN] (defined in LFWIstateRec).
doListFontsWithInfo has the same pattern, copying the resolved name into
c->current.pattern[]. With the old 256-byte limit, a fonts.alias entry
with a target name between 257 and 1023 bytes would overflow both
buffers.

An attacker can exploit this by:
  1. Creating a font directory with a fonts.alias containing an alias
     whose target name exceeds 256 bytes
  2. Using SetFontPath to add the malicious directory
  3. Calling ListFonts with the alias name to trigger alias resolution
  4. The oversized resolved name overflows the 256-byte stack buffer

Increase XLFDMAXFONTNAMELEN from 256 to 1024 to match libXfont2's
MAXFONTNAMELEN, ensuring the server can handle any name the font library
produces.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30136

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bb5158f962)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
2026-06-02 09:47:45 +10:00
..
.gitignore Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
busfault.h Trap SIGBUS to handle truncated shared memory segments 2013-11-11 15:16:07 -08:00
callback.h Avoid starting a comment with */* 2014-07-17 10:19:52 -07:00
client.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
closestr.h dix: increase XLFDMAXFONTNAMELEN to match libXfont2's MAXFONTNAMELEN 2026-06-02 09:47:45 +10:00
closure.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
colormap.h dix: Unexport various implementation details 2015-07-08 16:40:57 -04:00
colormapst.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
cursor.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
cursorstr.h cursor: drop ARGB_CURSOR 2015-06-30 12:17:51 +10:00
dbus-core.h xfree86: drop double-typedef of DBusConnection 2014-11-12 10:25:00 +10:00
displaymode.h vidmode: move display mode definitions 2016-02-29 16:28:57 -05:00
dix-config-apple-verbatim.h Move the apple fat binary hacks back to a header file, and make it apple-only. 2009-01-30 16:36:45 -08:00
dix-config.h.in dix-config.h: add HAVE_SOCKLEN_T definition 2024-10-30 17:12:06 -07:00
dix.h Convert more funcs to use InternalEvent. 2021-12-19 23:33:28 +02:00
dixaccess.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
dixevents.h dix: Remove redundant declarations. 2012-05-14 13:31:00 +01:00
dixfont.h include: Stop including <X11/fonts/fontproto.h> 2018-10-25 12:32:48 -04:00
dixfontstr.h dix: Switch to the libXfont2 API (v2) 2016-07-18 15:25:59 -04:00
dixgrabs.h xi: Implement grab support for new gesture event types 2021-05-30 13:26:32 +03:00
dixstruct.h os: Define {ReadFdFrom,WriteFdTo}Client unconditionally 2018-03-08 14:12:36 -05:00
eventconvert.h dix: Add new internal event enums for gesture events 2021-05-30 13:26:30 +03:00
events.h xi: Implement internal gesture event struct 2021-05-30 13:26:31 +03:00
eventstr.h mi: reset the PointerWindows reference on screen switch 2023-10-25 10:51:18 +10:00
exevents.h xi: Implement grab support for new gesture event types 2021-05-30 13:26:32 +03:00
extension.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
extinit.h miinitext: Load GLX on the mi path 2018-02-14 17:04:48 -05:00
extnsionst.h dix: Remove extension aliases 2017-06-20 16:37:24 -04:00
fourcc.h glamor: xv: add rgb565 2025-06-30 17:13:16 +03:00
gc.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
gcstruct.h fb: Remove 24bpp support (v3) 2017-03-17 15:14:42 -04:00
globals.h miinitext: General cleanup (v2) 2018-01-22 17:28:12 -05:00
glx_extinit.h miinitext: Load GLX on the mi path 2018-02-14 17:04:48 -05:00
glxvndabi.h Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
hotplug.h config: Replace OdevAttributes linked list with struct 2014-07-17 17:10:48 -07:00
input.h dix: Correctly save replayed event into GrabInfoRec 2022-07-01 15:15:15 +03:00
inputstr.h dix: Implement internal gesture state handling 2021-05-30 13:26:39 +03:00
inpututils.h Implement gesture processing logic 2021-05-30 13:26:42 +03:00
list.h Correct xorg_list_is_empty return value description 2018-02-12 08:09:53 +10:00
Makefile.am Makefile.am: Add missing meson build files to release tarball 2021-11-06 21:22:23 +02:00
meson.build dix-config.h: define HAVE_STRUCT_SOCKADDR_STORAGE for xtrans 1.6 2025-04-08 10:16:56 +02:00
misc.h include: Increase the number of max. input devices to 256. 2019-11-09 23:05:13 -05:00
miscstruct.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
nonsdk_extinit.h Make PseudoramiXExtensionInit() prototype more generally available 2015-03-16 16:56:17 +00:00
opaque.h Allow disabling byte-swapped clients 2024-03-23 14:42:15 -07:00
optionstr.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
os.h Switch to libbsd-overlay 2023-10-23 23:30:14 -04:00
pixmap.h xserver/output: rename some badly named variables/APIs. 2020-07-10 06:17:44 +10:00
pixmapstr.h xserver/output: rename some badly named variables/APIs. 2020-07-10 06:17:44 +10:00
privates.h Fix compilation with windows.h from latest w32api 2021-08-31 16:56:28 +00:00
probes.h dtrace: s/#if/#ifdef/ for XSERVER_DTRACE 2019-08-27 17:38:59 -04:00
property.h Mark the dixChangeWindowProperty() value argument as const 2021-07-30 08:36:35 +00:00
propertyst.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
protocol-versions.h xfixes: Add ClientDisconnectMode 2021-06-07 17:28:05 +02:00
ptrveloc.h dix: indentation fixes for pointer acceleration 2012-05-16 10:59:35 +10:00
region.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
regionstr.h dix: make RegionInit legal C++ 2015-01-23 10:35:49 -08:00
registry.h XSERVER_DTRACE needs request names from registry too 2014-09-22 12:00:46 -07:00
resource.h dix: Fix undefined shift in HashResourceID 2019-10-15 14:06:21 -04:00
rgb.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
screenint.h dix: De-ugly the prototype for Add{GPU,}Screen 2018-10-30 12:21:41 -04:00
scrnintstr.h xserver/output: rename some badly named variables/APIs. 2020-07-10 06:17:44 +10:00
selection.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
servermd.h dix: Fix image byte order on big endian hardware 2015-05-07 14:03:50 -04:00
swaprep.h dix: Unexport various implementation details 2015-07-08 16:40:57 -04:00
swapreq.h dix: Unexport various implementation details 2015-07-08 16:40:57 -04:00
systemd-logind.h xf86/logind: Fix compilation error when built without logind/platform bus 2021-12-20 17:09:17 +01:00
validate.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
version-config.h.in Move VENDOR_* defines from AC_SUBST to a header to avoid angering shave. 2009-04-14 10:35:44 -04:00
vidmodestr.h vidmode: build without xf86vidmodeproto 2016-03-01 11:25:59 -05:00
window.h dix: Add hybrid full-size/empty-clip mode to SetRootClip 2016-02-22 13:26:31 -05:00
windowstr.h dix: Remove WindowRec::backStorage 2019-04-12 21:53:03 +00:00
XIstubs.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xkb-config.h.in Move to autoconf standard function name checks & defines 2011-12-05 14:32:45 -08:00
xkbfile.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbrules.h xkb: add a call to init an XkbRMLVOSet from const chars 2014-02-04 10:53:59 +10:00
xkbsrv.h xkb: Make the RT_XKBCLIENT resource private 2025-10-28 14:15:35 +01:00
xkbstr.h Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
xorg-config.h.in xorg: Remove the XF86PM define. 2018-08-02 10:27:37 -04:00
xorg-config.h.meson.in xorg: Remove the XF86PM define. 2018-08-02 10:27:37 -04:00
xorg-server.h.in xorg: Remove unused definitions from xorg-server.h.in 2018-03-28 09:54:17 -04:00
xorg-server.h.meson.in meson: Generate xorg-server.h 2018-03-28 09:54:22 -04:00
Xprintf.h os/xprintf: add Xvscnprintf and Xscnprintf 2012-05-03 14:59:23 +10:00
xserver-properties.h Add missing labels for multitouch valuators 2012-10-30 15:11:10 +10:00
Xserver.d dtrace: Move Xserver.d from dix/ to include/ 2019-08-27 17:38:54 -04:00
xserver_poll.h Fix typo in error message 2019-01-10 18:40:20 +02:00
xsha1.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xwin-config.h.in configure: Restore DEFAULT_LOGDIR to xwin-config.h, it is used 2014-06-02 13:07:46 +01:00
xwin-config.h.meson.in Add meson.build for XWin server (v2) 2017-06-02 09:32:35 -07:00