frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/randr
History
Olivier Fourdan 948630fa42 randr: Check for overflow in RRChangeProviderProperty() 
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().

To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.

CVE-2025-49180

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
 		2025-06-17 20:01:25 +02:00
..
meson.build meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
randr.c miext: move over extinit_priv.h from include 2025-06-12 17:21:46 +02:00
randrstr.h randr: export RRGetOutputProperty for nvidia 2025-06-16 10:32:48 +02:00
randrstr_priv.h randr: export RRGetOutputProperty for nvidia 2025-06-16 10:32:48 +02:00
rrcrtc.c randr: fix BUG_RETURN_VAL check 2025-06-16 10:32:48 +02:00
rrdispatch.c randr: use calloc() instead of malloc() 2025-06-12 16:49:37 +02:00
rrdispatch_priv.h randr: move remaining dispatch prototypes to rrdispatch.h 2025-06-12 16:27:20 +02:00
rrinfo.c randr: use calloc() instead of malloc() 2025-06-12 16:49:37 +02:00
rrlease.c randr: move remaining dispatch prototypes to rrdispatch.h 2025-06-12 16:27:20 +02:00
rrmode.c dix: add dixAllocServerXID() 2025-06-12 17:21:48 +02:00
rrmonitor.c randr: use calloc() instead of malloc() 2025-06-12 16:49:37 +02:00
rroutput.c dix: add dixAllocServerXID() 2025-06-12 17:21:48 +02:00
rrpointer.c randr: unexport and document RRCrtcGetScanoutSize() 2025-06-12 16:27:50 +02:00
rrproperty.c randr: replace xallocarray() by calloc() 2025-06-12 17:21:43 +02:00
rrprovider.c dix: add dixAllocServerXID() 2025-06-12 17:21:48 +02:00
rrproviderproperty.c randr: Check for overflow in RRChangeProviderProperty() 2025-06-17 20:01:25 +02:00
rrscreen.c randr: use calloc() instead of malloc() 2025-06-12 16:49:37 +02:00
rrsdispatch.c randr: unexport screen related request handlers 2025-06-12 16:27:05 +02:00
rrtransform.c randr: replace xallocarray() by calloc() 2025-06-12 17:21:43 +02:00
rrtransform.h randr: unexport and document RRTransformCopy() 2025-06-12 16:30:10 +02:00
rrxinerama.c randr: use struct initializer for reply structs 2025-02-24 20:30:26 +00:00