frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: Do not fail SyncAddTriggerToSyncObject() 

We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.

SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.

Related to CVE-2025-26601, ZDI-CAN-25870

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
This commit is contained in:
Olivier Fourdan 2025-01-20 17:06:07 +01:00
parent f52cea2f93
commit 8cbc90c881
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Xext/sync.c
View File

@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
return Success; return Success;
} }
if (!(pCur = malloc(sizeof(SyncTriggerList)))) /* Failure is not an option, it's succeed or burst! */
return BadAlloc; pCur = XNFalloc(sizeof(SyncTriggerList));
pCur->pTrigger = pTrigger; pCur->pTrigger = pTrigger;
pCur->next = pTrigger->pSync->pTriglist; pCur->next = pTrigger->pSync->pTriglist;
@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
* a new counter on a trigger * a new counter on a trigger
*/ */
if (newSyncObject) { if (newSyncObject) {
if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) SyncAddTriggerToSyncObject(pTrigger);
return rc;
} }
else if (pCounter && IsSystemCounter(pCounter)) { else if (pCounter && IsSystemCounter(pCounter)) {
SyncComputeBracketValues(pCounter); SyncComputeBracketValues(pCounter);