Olivier Fourdan bba9df1a9d
Xi: Fix barrier device search ...
The function GetBarrierDevice() would search for the pointer device
based on its device id and return the matching value, or supposedly NULL
if no match was found.
Unfortunately, as written, it would return the last element of the list
if no matching device id was found which can lead to out of bounds
memory access.
Fix the search function to return NULL if not matching device is found,
and adjust the callers to handle the case where the device cannot be
found.
CVE-2025-26598, ZDI-CAN-25740
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com >
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net >
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828 >
2025-02-25 11:43:01 +01:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-17 19:32:48 +00:00
2020-03-30 21:48:11 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2017-04-26 15:25:27 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2024-10-10 13:38:31 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-18 11:17:40 +00:00
2012-03-21 13:54:42 -07:00
2025-02-25 11:43:01 +01:00
2013-05-07 09:41:19 +10:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-24 20:19:55 +00:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:52 +00:00
2025-02-06 22:28:52 +00:00
2025-02-18 11:17:40 +00:00
2012-03-21 13:54:42 -07:00
2025-02-18 11:17:40 +00:00
2012-03-21 13:54:42 -07:00
2025-02-18 11:17:40 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
2024-09-01 22:21:12 +00:00
2025-02-06 22:28:51 +00:00
2012-03-21 13:54:42 -07:00
bba9df1a9d