842ca3ccef
This fixes a use-after-free bug: When a client first calls ScreenSaverSetAttributes(), a struct ScreenSaverAttrRec is allocated and added to the client's resources. When the same client calls ScreenSaverSetAttributes() again, a new struct ScreenSaverAttrRec is allocated, replacing the old struct. The old struct was freed but not removed from the clients resources. Later, when the client is destroyed the resource system invokes ScreenSaverFreeAttr and attempts to clean up the already freed struct. Fix this by letting the resource system free the old attrs instead. CVE-2022-46343, ZDI-CAN 19404 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
||
|---|---|---|
| .. | ||
| bigreq.c | ||
| dpms.c | ||
| dpmsproc.h | ||
| geext.c | ||
| geext.h | ||
| geint.h | ||
| hashtable.c | ||
| hashtable.h | ||
| meson.build | ||
| panoramiX.c | ||
| panoramiX.h | ||
| panoramiXSwap.c | ||
| panoramiXh.h | ||
| panoramiXprocs.c | ||
| panoramiXsrv.h | ||
| saver.c | ||
| security.c | ||
| securitysrv.h | ||
| shape.c | ||
| shm.c | ||
| shmint.h | ||
| sleepuntil.c | ||
| sleepuntil.h | ||
| sync.c | ||
| syncsdk.h | ||
| syncsrv.h | ||
| vidmode.c | ||
| xace.c | ||
| xace.h | ||
| xacestr.h | ||
| xcmisc.c | ||
| xf86bigfont.c | ||
| xf86bigfontsrv.h | ||
| xres.c | ||
| xselinux.h | ||
| xselinux_ext.c | ||
| xselinux_hooks.c | ||
| xselinux_label.c | ||
| xselinuxint.h | ||
| xtest.c | ||
| xvdisp.c | ||
| xvdisp.h | ||
| xvdix.h | ||
| xvmain.c | ||
| xvmc.c | ||
| xvmcext.h | ||