Skip to content
Snippets Groups Projects
Commit 1e847845 authored by Peter Hutterer's avatar Peter Hutterer
Browse files

Xi/randr: fix handling of PropModeAppend/Prepend


The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.

Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write

The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.

CVE-2023-5367, ZDI-CAN-22153

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 541ab2ec)
parent 829a9911
No related branches found
No related tags found
1 merge request!1191Backport CVE-2023-5367 to Xwayland
Checking pipeline status
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment