Overview

File 0001-Fix-updating-outputs-info-v2.patch of Package xscreensaver.24903

From bf96212d0102c5c41cce8c2f05d55db286001702 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 27 Jun 2021 16:17:15 +0200
Subject: [PATCH] Fix updating outputs info (v2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

When an output is disconnected, update_screen_layout() will try to unset
a property on window assigned to that output. It does that by iterating
si->screens up to 'count', while 'good_count' signifies how many outputs
are currently connected (good_count <= count). si->screens has few more
entries allocated (at start 10), but if there are more disconnected
outputs, the iteration will go beyond si->screens array.
The only out of bound access there is reading window ID to delete
property from, which in most cases will be a bogus number -> crashing
xscreensaver with BadWindow error.

Fix this by allocating array up to full 'count' entries, even if much
fewer outputs are connected at the moment.

The same code has another vulnerability. When the si->screens is
reallocated when more outputs appears, the newly allocated part is then
initialized with zeros (via memset() call). But it does memset() not
only on the newly allocated area, but also previously unused area. That
"unused" area could in fact be used earlier and some other structures
may point at it.  One such place is password_dialog_data->prompt_screen,
used by PAM. If it points at a screen that is reset by the memset()
call, the xscreensaver process will crash at the earliest PAM
callback.

Fix this by really resetting only the newly allocated area.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
 driver/screens.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/driver/screens.c b/driver/screens.c
index 5aeb55d5..ed43a8d9 100644
--- a/driver/screens.c
+++ b/driver/screens.c
@@ -1020,13 +1020,13 @@ update_screen_layout (saver_info *si)
         calloc (sizeof(*si->screens), si->ssi_count);
     }
 
-  if (si->ssi_count <= good_count)
+  if (si->ssi_count <= count)
     {
-      si->ssi_count = good_count + 10;
       si->screens = (saver_screen_info *)
-        realloc (si->screens, sizeof(*si->screens) * si->ssi_count);
-      memset (si->screens + si->nscreens, 0, 
-              sizeof(*si->screens) * (si->ssi_count - si->nscreens));
+        realloc (si->screens, sizeof(*si->screens) * count);
+      memset (si->screens + si->ssi_count, 0,
+              sizeof(*si->screens) * (count - si->ssi_count));
+      si->ssi_count = count;
     }
 
   if (! si->screens) abort();
-- 
2.31.1
openSUSE Build Service is sponsored by
Places