diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2023-10-25 05:16:41 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2023-10-25 05:16:41 +0000 |
| commit | 3fa480415b22a9a0bad6388bd24d62cfa3cb8090 (patch) | |
| tree | b121884ae3ac1a0f727193ea589dd051eab5d9af /xserver/mi | |
| parent | 6fab7f830fb5dcdce6072303c7a1b95d158d797f (diff) | |
Fix several input validation errors in the X server
CVE-2023-5367 CVE-2023-5380 CVE-2023-5574
Diffstat (limited to 'xserver/mi')
| -rw-r--r-- | xserver/mi/mipointer.c | 17 | ||||
| -rw-r--r-- | xserver/mi/miscrinit.c | 2 |
2 files changed, 16 insertions, 3 deletions
diff --git a/xserver/mi/mipointer.c b/xserver/mi/mipointer.c index a638f25d4..8cf003514 100644 --- a/xserver/mi/mipointer.c +++ b/xserver/mi/mipointer.c @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) #ifdef PANORAMIX && noPanoramiXExtension #endif - ) - UpdateSpriteForScreen(pDev, pScreen); + ) { + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); + /* Hack for CVE-2023-5380: if we're moving + * screens PointerWindows[] keeps referring to the + * old window. If that gets destroyed we have a UAF + * bug later. Only happens when jumping from a window + * to the root window on the other screen. + * Enter/Leave events are incorrect for that case but + * too niche to fix. + */ + LeaveWindow(pDev); + if (master) + LeaveWindow(master); + UpdateSpriteForScreen(pDev, pScreen); + } } /** diff --git a/xserver/mi/miscrinit.c b/xserver/mi/miscrinit.c index 3bb52b1bc..b88938c9a 100644 --- a/xserver/mi/miscrinit.c +++ b/xserver/mi/miscrinit.c @@ -249,10 +249,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits, /* pointer to screen bits */ pScreen->numVisuals = numVisuals; pScreen->visuals = visuals; if (width) { + pScreen->CloseScreen = miCloseScreen; #ifdef MITSHM ShmRegisterFbFuncs(pScreen); #endif - pScreen->CloseScreen = miCloseScreen; } /* else CloseScreen */ /* QueryBestSize */ |