From c6ca7b64f2cf928ba78eab702ca0f85cc76352ca Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Thu, 15 Aug 2024 10:58:18 +0200 Subject: [PATCH] Xnest: fix memleak on user specified depth Buffer overflow may happen on user specificed different depth/class: xnestOpenScreen() looks into the wrong table: it's local visuals[] array, instead of the global (non-dedup'ed) list fetched by xlib. The visuals[] array is *much* smaller (deduplicated) than the xnestVisuals[] array, and xnestDefaultVisualIndex is likely to point outside of visual[]'s bounds. Signed-off-by: Enrico Weigelt, metux IT consult --- hw/xnest/Display.c | 24 ------------------------ hw/xnest/Display.h | 1 - hw/xnest/Screen.c | 7 +++++-- 3 files changed, 5 insertions(+), 27 deletions(-) diff --git a/hw/xnest/Display.c b/hw/xnest/Display.c index 42ae690b5..c6764d678 100644 --- a/hw/xnest/Display.c +++ b/hw/xnest/Display.c @@ -43,7 +43,6 @@ is" without express or implied warranty. Display *xnestDisplay = NULL; XVisualInfo *xnestVisuals; int xnestNumVisuals; -int xnestDefaultVisualIndex; Colormap *xnestDefaultColormaps; static uint16_t xnestNumDefaultColormaps; int xnestNumPixmapFormats; @@ -92,29 +91,6 @@ xnestOpenDisplay(int argc, char *argv[]) if (xnestNumVisuals == 0 || xnestVisuals == NULL) FatalError("Unable to find any visuals.\n"); - if (xnestUserDefaultClass || xnestUserDefaultDepth) { - xnestDefaultVisualIndex = UNDEFINED; - for (i = 0; i < xnestNumVisuals; i++) - if ((!xnestUserDefaultClass || - xnestVisuals[i].class == xnestDefaultClass) - && - (!xnestUserDefaultDepth || - xnestVisuals[i].depth == xnestDefaultDepth)) { - xnestDefaultVisualIndex = i; - break; - } - if (xnestDefaultVisualIndex == UNDEFINED) - FatalError("Unable to find desired default visual.\n"); - } - else { - vi.visualid = XVisualIDFromVisual(DefaultVisual(xnestDisplay, - xnestUpstreamInfo.screenId)); - xnestDefaultVisualIndex = 0; - for (i = 0; i < xnestNumVisuals; i++) - if (vi.visualid == xnestVisuals[i].visualid) - xnestDefaultVisualIndex = i; - } - xnestNumDefaultColormaps = xnestNumVisuals; xnestDefaultColormaps = xallocarray(xnestNumDefaultColormaps, sizeof(Colormap)); diff --git a/hw/xnest/Display.h b/hw/xnest/Display.h index d04b538df..6e02c666b 100644 --- a/hw/xnest/Display.h +++ b/hw/xnest/Display.h @@ -27,7 +27,6 @@ is" without express or implied warranty. extern Display *xnestDisplay; extern XVisualInfo *xnestVisuals; extern int xnestNumVisuals; -extern int xnestDefaultVisualIndex; extern Colormap *xnestDefaultColormaps; extern int xnestNumDefaultClormaps; extern int xnestNumPixmapFormats; diff --git a/hw/xnest/Screen.c b/hw/xnest/Screen.c index 60f95ae7a..b038a8d00 100644 --- a/hw/xnest/Screen.c +++ b/hw/xnest/Screen.c @@ -264,8 +264,11 @@ xnestOpenScreen(ScreenPtr pScreen, int argc, char *argv[]) } visuals = reallocarray(visuals, numVisuals, sizeof(VisualRec)); - defaultVisual = visuals[xnestDefaultVisualIndex].vid; - rootDepth = visuals[xnestDefaultVisualIndex].nplanes; + if (!found_default_visual) { + ErrorF("Xnest: can't find matching visual for user specified depth %d\n", xnestDefaultDepth); + defaultVisual = visuals[0].vid; + rootDepth = visuals[0].nplanes; + } if (xnestParentWindow != 0) { xRectangle r = xnestGetGeometry(xnestUpstreamInfo.conn, xnestParentWindow);