c1ff84bef2
The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error. However that failure code path will shortcut the validation of the window tree marked just before, which leaves the validate data partly initialized. That causes a use of uninitialized pointer later. The fix is to not shortcut the call to compHandleMarkedWindows() even in the case of compCheckRedirect() returning an error. CVE-2025-26599, ZDI-CAN-25851 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Acked-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> |
||
|---|---|---|
| .. | ||
| compalloc.c | ||
| compext.c | ||
| compinit.c | ||
| compint.h | ||
| compositeext.h | ||
| compositeext_priv.h | ||
| compoverlay.c | ||
| compwindow.c | ||
| meson.build | ||