Skip to content
Snippets Groups Projects
Commit 01941a83 authored by Peter Hutterer's avatar Peter Hutterer Committed by Alan Coopersmith
Browse files

render: fix refcounting of glyphs during ProcRenderAddGlyphs

Previously, AllocateGlyph would return a new glyph with refcount=0 and a
re-used glyph would end up not changing the refcount at all. The
resulting glyph_new array would thus have multiple entries pointing to
the same non-refcounted glyphs.

AddGlyph may free a glyph, resulting in a UAF when the same glyph
pointer is then later used.

Fix this by returning a refcount of 1 for a new glyph and always
incrementing the refcount for a re-used glyph, followed by dropping that
refcount back down again when we're done with it.

CVE-2024-31083, ZDI-CAN-22880

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

(backported from commit bdca6c3d)

Part-of: <xorg/xserver!1464>
parent 672b26d1
Loading
Checking pipeline status
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment