bdca6c3d1f
Previously, AllocateGlyph would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. AddGlyph may free a glyph, resulting in a UAF when the same glyph pointer is then later used. Fix this by returning a refcount of 1 for a new glyph and always incrementing the refcount for a re-used glyph, followed by dropping that refcount back down again when we're done with it. CVE-2024-31083, ZDI-CAN-22880 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> |
||
|---|---|---|
| .. | ||
| animcur.c | ||
| filter.c | ||
| glyph.c | ||
| glyphstr.h | ||
| glyphstr_priv.h | ||
| matrix.c | ||
| meson.build | ||
| miindex.c | ||
| mipict.c | ||
| mipict.h | ||
| mirect.c | ||
| mitrap.c | ||
| mitri.c | ||
| picture.c | ||
| picture.h | ||
| picturestr.h | ||
| picturestr_priv.h | ||
| render.c | ||