frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

render: fix CVE-2025-49175 

Protect against clients sending a series of zero cursors.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult 2025-06-17 16:22:53 +02:00 committed by Enrico Weigelt
parent b418203339
commit c430c829d5
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
render/animcur.c
View File

@ -298,6 +298,9 @@ int
AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
CursorPtr *ppCursor, ClientPtr client, XID cid)
{
if (ncursor <= 0)
return BadValue;
CursorPtr pCursor;
int rc = BadAlloc, i;
AnimCurPtr ac;

10
render/render.c
View File

@ -1784,10 +1784,8 @@ static int
ProcRenderCreateAnimCursor(ClientPtr client)
{
REQUEST(xRenderCreateAnimCursorReq);
CursorPtr *cursors;
CARD32 *deltas;
CursorPtr pCursor;
int ncursor;
xAnimCursorElt *elt;
int i;
int ret;
@ -1796,10 +1794,14 @@ ProcRenderCreateAnimCursor(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->cid, client);
if (client->req_len & 1)
return BadLength;
ncursor =
int ncursor =
(client->req_len -
(bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
cursors = calloc(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
if (ncursor <= 0)
return BadValue;
CursorPtr *cursors = calloc(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
if (!cursors)
return BadAlloc;
deltas = (CARD32 *) (cursors + ncursor);