Skip to content

Commit

Permalink
xkb: reset the radio_groups pointer to NULL after freeing it
Browse files Browse the repository at this point in the history 
Unlike other elements of the keymap, this pointer was freed but not
reset. On a subsequent XkbGetKbdByName request, the server may access
already freed memory.

CVE-2022-4283, ZDI-CAN-19530

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
  • Loading branch information
@whot @dcommander
whot authored and dcommander committed Sep 14, 2023
1 parent b826d41 commit 72f16a9
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions unix/Xvnc/programs/Xserver/xkb/xkbUtils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
}
else {
free(dst->names->radio_groups);
dst->names->radio_groups = NULL;
}
dst->names->num_rg = src->names->num_rg;

Expand Down

0 comments on commit 72f16a9

Please sign in to comment.