Stefan Dirsch
64a4180db5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=102
122 lines
4.7 KiB
Diff
122 lines
4.7 KiB
Diff
From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 13 Jan 2025 16:09:43 +0100
|
|
Subject: [PATCH xserver 2/2] composite: initialize border clip even when
|
|
pixmap alloc fails
|
|
|
|
If it fails to allocate the pixmap, the function compAllocPixmap() would
|
|
return early and leave the borderClip region uninitialized, which may
|
|
lead to the use of uninitialized value as reported by valgrind:
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x4F9B33: compClipNotify (compwindow.c:317)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
|
|
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
|
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
|
|
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
|
|
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
|
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Fix compAllocPixmap() to initialize the border clip even if the creation
|
|
of the backing pixmap has failed, to avoid depending later on
|
|
uninitialized border clip values.
|
|
|
|
Related to CVE-2025-26599, ZDI-CAN-25851
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
composite/compalloc.c | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
Index: xwayland-24.1.4/composite/compalloc.c
|
|
===================================================================
|
|
--- xwayland-24.1.4.orig/composite/compalloc.c
|
|
+++ xwayland-24.1.4/composite/compalloc.c
|
|
@@ -606,9 +606,12 @@ compAllocPixmap(WindowPtr pWin)
|
|
int h = pWin->drawable.height + (bw << 1);
|
|
PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
|
|
CompWindowPtr cw = GetCompWindow(pWin);
|
|
+ Bool status;
|
|
|
|
- if (!pPixmap)
|
|
- return FALSE;
|
|
+ if (!pPixmap) {
|
|
+ status = FALSE;
|
|
+ goto out;
|
|
+ }
|
|
if (cw->update == CompositeRedirectAutomatic)
|
|
pWin->redirectDraw = RedirectDrawAutomatic;
|
|
else
|
|
@@ -622,14 +625,16 @@ compAllocPixmap(WindowPtr pWin)
|
|
DamageRegister(&pWin->drawable, cw->damage);
|
|
cw->damageRegistered = TRUE;
|
|
}
|
|
+ status = TRUE;
|
|
|
|
+out:
|
|
/* Make sure our borderClip is up to date */
|
|
RegionUninit(&cw->borderClip);
|
|
RegionCopy(&cw->borderClip, &pWin->borderClip);
|
|
cw->borderClipX = pWin->drawable.x;
|
|
cw->borderClipY = pWin->drawable.y;
|
|
|
|
- return TRUE;
|
|
+ return status;
|
|
}
|
|
|
|
void
|