Skip to content

possible use after free in /dix/devices.c AttachDevice

I noticed a possible use after free in /dix/devices.c AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)

if the following are true:

IsFloating(dev) && !master && !dev->enabled && dev->spriteInfo->paired == dev

free is here:

https://gitlab.freedesktop.org/xorg/xserver/-/blob/0ba6d8c37071131a49790243cdac55392ecf71ec/dix/devices.c#L2632

use is here:

https://gitlab.freedesktop.org/xorg/xserver/-/blob/0ba6d8c37071131a49790243cdac55392ecf71ec/dix/devices.c#L2647

I don't know when they are true, but it looks scary. Perhaps setting the dev->spriteInfo->sprite to NULL would reassure readers.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information