sync: Do not fail SyncAddTriggerToSyncObject()

We do not want to return a failure at the very last step in SyncInitTrigger() after having all changes applied. SyncAddTriggerToSyncObject() must not fail on memory allocation, if the allocation of the SyncTriggerList fails, trigger a FatalError() instead. Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
2025-01-20 17:06:07 +01:00 · 2025-01-20 17:06:07 +01:00 · 8cbc90c881
parent f52cea2f93
commit 8cbc90c881
1 changed files with 3 additions and 4 deletions
--- a/Xext/sync.c
+++ b/Xext/sync.c
@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
            return Success;
    }

-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
-        return BadAlloc;
+    /* Failure is not an option, it's succeed or burst! */
+    pCur = XNFalloc(sizeof(SyncTriggerList));

    pCur->pTrigger = pTrigger;
    pCur->next = pTrigger->pSync->pTriglist;
@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
     *  a new counter on a trigger
     */
    if (newSyncObject) {
-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
-            return rc;
+        SyncAddTriggerToSyncObject(pTrigger);
    }
    else if (pCounter && IsSystemCounter(pCounter)) {
        SyncComputeBracketValues(pCounter);