mirror of
https://github.com/X11Libre/xserver.git
synced 2026-03-24 10:14:52 +00:00
c1ff84bef2
The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error. However that failure code path will shortcut the validation of the window tree marked just before, which leaves the validate data partly initialized. That causes a use of uninitialized pointer later. The fix is to not shortcut the call to compHandleMarkedWindows() even in the case of compCheckRedirect() returning an error. CVE-2025-26599, ZDI-CAN-25851 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Acked-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>