blob: 47c247ef0c909a60d5026969e1e7f954961d91c4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 24 Oct 2023 12:09:36 +1000
Subject: [PATCH] dix: always initialize pScreen->CloseScreen
CloseScreen is wrapped by the various modules, many of which do not
check if they're the last ones unwrapping. This is fine if the order of
those modules never changes but when it does we might get a NULL-pointer
dereference by some naive code doing a
pScreen->CloseScreen = priv->CloseScreen;
free(priv);
return (*pScreen->CloseScreen)(pScreen);
To avoid this set it to a default function that just returns TRUE that's
guaranteed to be the last one.
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]
CVE: CVE-2023-5574
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
dix/dispatch.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index eaac39b7c9..cd092fd409 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = {
3 /* 64 bits per scanline pad unit */
};
+static Bool
+DefaultCloseScreen(ScreenPtr screen)
+{
+ return TRUE;
+}
+
/*
grow the array of screenRecs if necessary.
call the device-supplied initialization procedure
@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu)
PixmapWidthPaddingInfo[depth].notPower2 = 0;
}
}
+
+ pScreen->CloseScreen = DefaultCloseScreen;
+
return 0;
}
--
GitLab
|
