xserver/randr
Peter Hutterer 541ab2ecd4 Xi/randr: fix handling of PropModeAppend/Prepend
The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.

Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write

The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.

CVE-2023-5367, ZDI-CAN-22153

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2023-10-25 00:32:52 +00:00
..
meson.build meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
randr.c present: fallback get_crtc to return crtc belonging to screen with present extension 2021-07-20 08:10:46 +02:00
randrstr.h randr: introduce rrCrtcGetInfo DDX function 2023-01-03 23:27:29 +07:00
rrcrtc.c randr: introduce rrCrtcGetInfo DDX function 2023-01-03 23:27:29 +07:00
rrdispatch.c Add RandR leases with modesetting driver support [v6] 2018-02-27 12:39:50 -05:00
rrinfo.c Convert top level extensions to new *allocarray functions 2015-04-21 16:57:08 -07:00
rrlease.c randr: add new interface to allow delaying lease responses 2021-12-07 10:02:29 +00:00
rrmode.c Add RandR leases with modesetting driver support [v6] 2018-02-27 12:39:50 -05:00
rrmonitor.c randr: Correctly get physical size for screen with RandR 1.5 2022-08-09 07:17:07 +00:00
rroutput.c xserver/output: rename some badly named variables/APIs. 2020-07-10 06:17:44 +10:00
rrpointer.c randr: Fix logic in RRPointerToNearestCrtc 2014-07-30 14:40:17 -07:00
rrproperty.c Xi/randr: fix handling of PropModeAppend/Prepend 2023-10-25 00:32:52 +00:00
rrprovider.c present: fix msc offset calculation in screen mode 2021-04-16 10:53:43 +00:00
rrproviderproperty.c Convert top level extensions to new *allocarray functions 2015-04-21 16:57:08 -07:00
rrscreen.c xserver/output: rename some badly named variables/APIs. 2020-07-10 06:17:44 +10:00
rrsdispatch.c Add RandR leases with modesetting driver support [v6] 2018-02-27 12:39:50 -05:00
rrtransform.c randr: Silence -Wshift-negative-value warnings 2015-10-19 11:51:52 -04:00
rrtransform.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
rrxinerama.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00