XLibre/xserver
1
1
Fork 0
mirror of https://github.com/X11Libre/xserver.git synced 2026-03-24 18:54:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b8a84cb0f2807b07ab70ca9915fcdee21301b8ca
xserver/Xext
History
Peter Hutterer 842ca3ccef Xext: free the screen saver resource when replacing it 
This fixes a use-after-free bug:

When a client first calls ScreenSaverSetAttributes(), a struct
ScreenSaverAttrRec is allocated and added to the client's
resources.

When the same client calls ScreenSaverSetAttributes() again, a new
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
old struct was freed but not removed from the clients resources.

Later, when the client is destroyed the resource system invokes
ScreenSaverFreeAttr and attempts to clean up the already freed struct.

Fix this by letting the resource system free the old attrs instead.

CVE-2022-46343, ZDI-CAN 19404

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
2022-12-14 11:02:40 +10:00
..
bigreq.c
Move extension initialisation prototypes into extinit.h
2012-07-09 23:06:41 -07:00
dpms.c
Change the DPMS initialization to be conditional on not set from config
2018-06-26 17:14:34 -07:00
dpmsproc.h
dpms: Consolidate a bunch of stuff into Xext/dpms.c
2017-03-27 15:59:47 -04:00
geext.c
More missing version checks in SProcs
2021-08-08 12:43:01 +00:00
geext.h
Move extension initialisation prototypes into extinit.h
2012-07-09 23:06:41 -07:00
geint.h
xge: Hide some implementation details
2015-07-08 16:40:58 -04:00
hashtable.c
dix: Fix undefined shift in ht_generic_hash
2019-10-15 14:06:30 -04:00
hashtable.h
Fix spelling/wording issues
2020-07-05 13:07:33 -07:00
meson.build
meson: hide C API if Xorg is disabled (like autotools)
2021-03-11 00:22:36 +00:00
panoramiX.c
Xext: dynamically allocate the PanoramiXDepths[j].vids array
2018-07-19 11:52:14 +10:00
panoramiX.h
Drop trailing whitespaces
2014-11-12 10:25:00 +10:00
panoramiXh.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
panoramiXprocs.c
dix: Call SourceValidate before GetImage
2019-10-30 16:26:01 +00:00
panoramiXsrv.h
Replace 'pointer' type with 'void *'
2014-01-12 10:24:11 -08:00
panoramiXSwap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
saver.c
Xext: free the screen saver resource when replacing it
2022-12-14 11:02:40 +10:00
security.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
securitysrv.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
shape.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
shm.c
os, shm: fcntl()'s third argument is integer, not pointer
2020-12-18 09:36:30 -05:00
shmint.h
xext: Fix shmint.h to not use headers outside of sdk_HEADERS
2013-11-14 10:22:15 +09:00
sleepuntil.c
os: Don't crash in AttendClient if the client is gone
2019-11-19 10:15:05 -08:00
sleepuntil.h
Replace 'pointer' type with 'void *'
2014-01-12 10:24:11 -08:00
sync.c
xsync: Add resource inside of SyncCreate, export SyncCreate
2019-04-17 14:01:17 -07:00
syncsdk.h
xsync: Add resource inside of SyncCreate, export SyncCreate
2019-04-17 14:01:17 -07:00
syncsrv.h
sync: Convert from "CARD64" to int64_t.
2017-09-20 13:19:27 -04:00
vidmode.c
Fix spelling/wording issues
2020-07-05 13:07:33 -07:00
xace.c
xace: Don't censor window borders
2016-09-28 15:25:07 -04:00
xace.h
xace: Remove the audit hooks and tune dispatch
2016-06-10 13:26:19 -04:00
xacestr.h
Replace 'pointer' type with 'void *'
2014-01-12 10:24:11 -08:00
xcmisc.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xf86bigfont.c
Drop workaround for pre-glibc linux
2017-05-11 15:24:01 -04:00
xf86bigfontsrv.h
Move extension initialisation prototypes into extinit.h
2012-07-09 23:06:41 -07:00
xres.c
Fix spelling/wording issues
2020-07-05 13:07:33 -07:00
xselinux_ext.c
selinux: Stop using security_context_t
2021-08-17 16:02:39 -04:00
xselinux_hooks.c
selinux: Stop using security_context_t
2021-08-17 16:02:39 -04:00
xselinux_label.c
selinux: Stop using security_context_t
2021-08-17 16:02:39 -04:00
xselinux.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xselinuxint.h
selinux: Stop using security_context_t
2021-08-17 16:02:39 -04:00
xtest.c
Xtest: disallow GenericEvents in XTestSwapFakeInput
2022-12-12 10:55:49 +10:00
xvdisp.c
Unvalidated lengths
2017-10-10 23:33:34 +02:00
xvdisp.h
Fix swapped Xv dispatch under Xinerama.
2007-12-02 14:15:36 -05:00
xvdix.h
Drop trailing whitespaces
2014-11-12 10:25:00 +10:00
xvmain.c
Xext: free the XvRTVideoNotify when turning off from the same client
2022-12-14 11:02:06 +10:00
xvmc.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xvmcext.h
Replace 'pointer' type with 'void *'
2014-01-12 10:24:11 -08:00