frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xnest: fix memleak on user specified depth 

Buffer overflow may happen on user specificed different depth/class:

xnestOpenScreen() looks into the wrong table: it's local visuals[] array,
instead of the global (non-dedup'ed) list fetched by xlib. The visuals[]
array is *much* smaller (deduplicated) than the xnestVisuals[] array,
and xnestDefaultVisualIndex is likely to point outside of visual[]'s bounds.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-15 10:58:18 +02:00
parent ecb8ca56b5
commit c6ca7b64f2
3 changed files with 5 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
hw/xnest/Display.c
View File

@ -43,7 +43,6 @@ is" without express or implied warranty.
Display *xnestDisplay = NULL; Display *xnestDisplay = NULL;
XVisualInfo *xnestVisuals; XVisualInfo *xnestVisuals;
int xnestNumVisuals; int xnestNumVisuals;
int xnestDefaultVisualIndex;
Colormap *xnestDefaultColormaps; Colormap *xnestDefaultColormaps;
static uint16_t xnestNumDefaultColormaps; static uint16_t xnestNumDefaultColormaps;
int xnestNumPixmapFormats; int xnestNumPixmapFormats;
@ -92,29 +91,6 @@ xnestOpenDisplay(int argc, char *argv[])
if (xnestNumVisuals == 0 || xnestVisuals == NULL) if (xnestNumVisuals == 0 || xnestVisuals == NULL)
FatalError("Unable to find any visuals.\n"); FatalError("Unable to find any visuals.\n");
if (xnestUserDefaultClass || xnestUserDefaultDepth) {
xnestDefaultVisualIndex = UNDEFINED;
for (i = 0; i < xnestNumVisuals; i++)
if ((!xnestUserDefaultClass ||
xnestVisuals[i].class == xnestDefaultClass)
&&
(!xnestUserDefaultDepth ||
xnestVisuals[i].depth == xnestDefaultDepth)) {
xnestDefaultVisualIndex = i;
break;
}
if (xnestDefaultVisualIndex == UNDEFINED)
FatalError("Unable to find desired default visual.\n");
}
else {
vi.visualid = XVisualIDFromVisual(DefaultVisual(xnestDisplay,
xnestUpstreamInfo.screenId));
xnestDefaultVisualIndex = 0;
for (i = 0; i < xnestNumVisuals; i++)
if (vi.visualid == xnestVisuals[i].visualid)
xnestDefaultVisualIndex = i;
}
xnestNumDefaultColormaps = xnestNumVisuals; xnestNumDefaultColormaps = xnestNumVisuals;
xnestDefaultColormaps = xallocarray(xnestNumDefaultColormaps, xnestDefaultColormaps = xallocarray(xnestNumDefaultColormaps,
sizeof(Colormap)); sizeof(Colormap));

1
hw/xnest/Display.h
View File

@ -27,7 +27,6 @@ is" without express or implied warranty.
extern Display *xnestDisplay; extern Display *xnestDisplay;
extern XVisualInfo *xnestVisuals; extern XVisualInfo *xnestVisuals;
extern int xnestNumVisuals; extern int xnestNumVisuals;
extern int xnestDefaultVisualIndex;
extern Colormap *xnestDefaultColormaps; extern Colormap *xnestDefaultColormaps;
extern int xnestNumDefaultClormaps; extern int xnestNumDefaultClormaps;
extern int xnestNumPixmapFormats; extern int xnestNumPixmapFormats;

7
hw/xnest/Screen.c
View File

@ -264,8 +264,11 @@ xnestOpenScreen(ScreenPtr pScreen, int argc, char *argv[])
} }
visuals = reallocarray(visuals, numVisuals, sizeof(VisualRec)); visuals = reallocarray(visuals, numVisuals, sizeof(VisualRec));
defaultVisual = visuals[xnestDefaultVisualIndex].vid; if (!found_default_visual) {
rootDepth = visuals[xnestDefaultVisualIndex].nplanes; ErrorF("Xnest: can't find matching visual for user specified depth %d\n", xnestDefaultDepth);
defaultVisual = visuals[0].vid;
rootDepth = visuals[0].nplanes;
}
if (xnestParentWindow != 0) { if (xnestParentWindow != 0) {
xRectangle r = xnestGetGeometry(xnestUpstreamInfo.conn, xnestParentWindow); xRectangle r = xnestGetGeometry(xnestUpstreamInfo.conn, xnestParentWindow);