File U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch of Package xorg-x11-server

From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 17 Dec 2024 15:19:45 +0100
Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in
 compRedirectWindow()

The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.

In that case, compRedirectWindow() will return a BadAlloc error.

However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.

That causes a use of uninitialized pointer later.

The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.

CVE-2025-26599, ZDI-CAN-25851

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 composite/compalloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Index: xwayland-24.1.4/composite/compalloc.c
===================================================================
--- xwayland-24.1.4.orig/composite/compalloc.c
+++ xwayland-24.1.4/composite/compalloc.c
@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, Wi
     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
     WindowPtr pLayerWin;
     Bool anyMarked = FALSE;
+    int status = Success;
 
     if (pWin == cs->pOverlayWin) {
         return Success;
@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, Wi
 
     if (!compCheckRedirect(pWin)) {
         FreeResource(ccw->id, RT_NONE);
-        return BadAlloc;
+        status = BadAlloc;
     }
 
     if (anyMarked)
         compHandleMarkedWindows(pWin, pLayerWin);
 
-    return Success;
+    return status;
 }
 
 void