Skip to content

Xi/randr: fix handling of PropModeAppend/Prepend

Peter Hutterer requested to merge whot/xserver:wip/cve-2023-5367 into master

The handling of appending/prepending properties was incorrect, with at least two bugs: the property length was set to the length of the new part only, i.e. appending or prepending N elements to a property with P existing elements always resulted in the property having N elements instead of N + P.

Second, when pre-pending a value to a property, the offset for the old values was incorrect, leaving the new property with potentially uninitalized values and/or resulting in OOB memory writes. For example, prepending a 3 element value to a 5 element property would result in this 8 value array:

  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write

The XI2 code is a copy/paste of the RandR code, so the bug exists in both.

CVE-2023-5367, ZDI-CAN-22153

This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Edited by Peter Hutterer

Merge request reports