wok-current rev 25755
Patch xorg-server (CVE-2025-{26594-26601})
line diff
1.1 --- a/xorg-server/receipt Wed Feb 26 14:31:16 2025 +0000 1.2 +++ b/xorg-server/receipt Thu Feb 27 11:19:43 2025 +0000 1.3 @@ -93,6 +93,21 @@ 1.4 # see https://lists.x.org/archives/xorg-announce/2024-October/003545.html 1.5 patch -p1 < $stuff/CVE-2024-9632.patch 1.6 1.7 + # Patch xorg CVEs February 2025 1.8 + # see https://lists.x.org/archives/xorg-announce/2025-February/003584.html 1.9 + patch -p1 < $stuff/CVE-2025-26594.01.patch 1.10 + patch -p1 < $stuff/CVE-2025-26595.patch 1.11 + patch -p1 < $stuff/CVE-2025-26596.patch 1.12 + patch -p1 < $stuff/CVE-2025-26597.patch 1.13 + patch -p1 < $stuff/CVE-2025-26598.patch 1.14 + patch -p1 < $stuff/CVE-2025-26599.01.patch 1.15 + patch -p1 < $stuff/CVE-2025-26599.02.patch 1.16 + patch -p1 < $stuff/CVE-2025-26600.patch 1.17 + patch -p1 < $stuff/CVE-2025-26601.01.patch 1.18 + patch -p1 < $stuff/CVE-2025-26601.02.patch 1.19 + patch -p1 < $stuff/CVE-2025-26601.03.patch 1.20 + patch -p1 < $stuff/CVE-2025-26601.04.patch 1.21 + 1.22 # Fix libshadow 1.23 # See https://gitlab.archlinux.org/archlinux/packaging/packages/xorg-server/-/tree/1.20.13-3?ref_type=tags 1.24 patch -p1 < $stuff/fix-libshadow.patch
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/xorg-server/stuff/CVE-2025-26594.01.patch Thu Feb 27 11:19:43 2025 +0000 2.3 @@ -0,0 +1,48 @@ 2.4 +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 2.5 +From: Olivier Fourdan <ofourdan@redhat.com> 2.6 +Date: Wed, 27 Nov 2024 11:27:05 +0100 2.7 +Subject: [PATCH] Cursor: Refuse to free the root cursor 2.8 +MIME-Version: 1.0 2.9 +Content-Type: text/plain; charset=UTF-8 2.10 +Content-Transfer-Encoding: 8bit 2.11 + 2.12 +If a cursor reference count drops to 0, the cursor is freed. 2.13 + 2.14 +The root cursor however is referenced with a specific global variable, 2.15 +and when the root cursor is freed, the global variable may still point 2.16 +to freed memory. 2.17 + 2.18 +Make sure to prevent the rootCursor from being explicitly freed by a 2.19 +client. 2.20 + 2.21 +CVE-2025-26594, ZDI-CAN-25544 2.22 + 2.23 +This vulnerability was discovered by: 2.24 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 2.25 + 2.26 +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer 2.27 +<peter.hutterer@who-t.net>) 2.28 +v3: Return BadCursor instead of BadValue (Michel Dänzer 2.29 +<michel@daenzer.net>) 2.30 + 2.31 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 2.32 +Suggested-by: Peter Hutterer <peter.hutterer@who-t.net> 2.33 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 2.34 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 2.35 +--- 2.36 + dix/dispatch.c | 4 ++++ 2.37 + 1 file changed, 4 insertions(+) 2.38 + 2.39 +--- ./dix/dispatch.c.orig 2021-12-15 13:01:24.000000000 -0600 2.40 ++++ ./dix/dispatch.c 2025-02-25 13:16:59.757758018 -0600 2.41 +@@ -3039,6 +3039,10 @@ 2.42 + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, 2.43 + client, DixDestroyAccess); 2.44 + if (rc == Success) { 2.45 ++ if (pCursor == rootCursor) { 2.46 ++ client->errorValue = stuff->id; 2.47 ++ return BadCursor; 2.48 ++ } 2.49 + FreeResource(stuff->id, RT_NONE); 2.50 + return Success; 2.51 + }
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/xorg-server/stuff/CVE-2025-26594.02.patch Thu Feb 27 11:19:43 2025 +0000 3.3 @@ -0,0 +1,43 @@ 3.4 +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 3.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 3.6 +Date: Wed, 4 Dec 2024 15:49:43 +1000 3.7 +Subject: [PATCH] dix: keep a ref to the rootCursor 3.8 + 3.9 +CreateCursor returns a cursor with refcount 1 - that refcount is used by 3.10 +the resource system, any caller needs to call RefCursor to get their own 3.11 +reference. That happens correctly for normal cursors but for our 3.12 +rootCursor we keep a variable to the cursor despite not having a ref for 3.13 +ourselves. 3.14 + 3.15 +Fix this by reffing/unreffing the rootCursor to ensure our pointer is 3.16 +valid. 3.17 + 3.18 +Related to CVE-2025-26594, ZDI-CAN-25544 3.19 + 3.20 +Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> 3.21 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 3.22 +--- 3.23 + dix/main.c | 4 ++++ 3.24 + 1 file changed, 4 insertions(+) 3.25 + 3.26 + 3.27 +--- ./dix/main.c.orig 2021-12-15 13:01:24.000000000 -0600 3.28 ++++ ./dix/main.c 2025-02-25 13:24:51.377731931 -0600 3.29 +@@ -235,6 +235,8 @@ 3.30 + defaultCursorFont); 3.31 + } 3.32 + 3.33 ++ rootCursor = RefCursor(rootCursor); 3.34 ++ 3.35 + #ifdef PANORAMIX 3.36 + /* 3.37 + * Consolidate window and colourmap information for each screen 3.38 +@@ -275,6 +277,8 @@ 3.39 + 3.40 + Dispatch(); 3.41 + 3.42 ++ UnrefCursor(rootCursor); 3.43 ++ 3.44 + UndisplayDevices(); 3.45 + DisableAllDevices(); 3.46 +
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/xorg-server/stuff/CVE-2025-26595.patch Thu Feb 27 11:19:43 2025 +0000 4.3 @@ -0,0 +1,61 @@ 4.4 +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 4.5 +From: Olivier Fourdan <ofourdan@redhat.com> 4.6 +Date: Wed, 27 Nov 2024 14:41:45 +0100 4.7 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() 4.8 + 4.9 +The code in XkbVModMaskText() allocates a fixed sized buffer on the 4.10 +stack and copies the virtual mod name. 4.11 + 4.12 +There's actually two issues in the code that can lead to a buffer 4.13 +overflow. 4.14 + 4.15 +First, the bound check mixes pointers and integers using misplaced 4.16 +parenthesis, defeating the bound check. 4.17 + 4.18 +But even though, if the check fails, the data is still copied, so the 4.19 +stack overflow will occur regardless. 4.20 + 4.21 +Change the logic to skip the copy entirely if the bound check fails. 4.22 + 4.23 +CVE-2025-26595, ZDI-CAN-25545 4.24 + 4.25 +This vulnerability was discovered by: 4.26 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 4.27 + 4.28 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 4.29 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 4.30 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 4.31 +--- 4.32 + xkb/xkbtext.c | 16 ++++++++-------- 4.33 + 1 file changed, 8 insertions(+), 8 deletions(-) 4.34 + 4.35 +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c 4.36 +index 0184664207..93262528bb 100644 4.37 +--- a/xkb/xkbtext.c 4.38 ++++ b/xkb/xkbtext.c 4.39 +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, 4.40 + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); 4.41 + if (format == XkbCFile) 4.42 + len += 4; 4.43 +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { 4.44 +- if (str != buf) { 4.45 +- if (format == XkbCFile) 4.46 +- *str++ = '|'; 4.47 +- else 4.48 +- *str++ = '+'; 4.49 +- len--; 4.50 +- } 4.51 ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) 4.52 ++ continue; /* Skip */ 4.53 ++ if (str != buf) { 4.54 ++ if (format == XkbCFile) 4.55 ++ *str++ = '|'; 4.56 ++ else 4.57 ++ *str++ = '+'; 4.58 ++ len--; 4.59 + } 4.60 + if (format == XkbCFile) 4.61 + sprintf(str, "%sMask", tmp); 4.62 +-- 4.63 +GitLab 4.64 +
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/xorg-server/stuff/CVE-2025-26596.patch Thu Feb 27 11:19:43 2025 +0000 5.3 @@ -0,0 +1,45 @@ 5.4 +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 5.5 +From: Olivier Fourdan <ofourdan@redhat.com> 5.6 +Date: Thu, 28 Nov 2024 11:49:34 +0100 5.7 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms 5.8 + 5.9 +The computation of the length in XkbSizeKeySyms() differs from what is 5.10 +actually written in XkbWriteKeySyms(), leading to a heap overflow. 5.11 + 5.12 +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() 5.13 +does. 5.14 + 5.15 +CVE-2025-26596, ZDI-CAN-25543 5.16 + 5.17 +This vulnerability was discovered by: 5.18 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 5.19 + 5.20 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 5.21 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 5.22 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 5.23 +--- 5.24 + xkb/xkb.c | 8 ++++---- 5.25 + 1 file changed, 4 insertions(+), 4 deletions(-) 5.26 + 5.27 +diff --git a/xkb/xkb.c b/xkb/xkb.c 5.28 +index 85659382da..744dba63d7 100644 5.29 +--- a/xkb/xkb.c 5.30 ++++ b/xkb/xkb.c 5.31 +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) 5.32 + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); 5.33 + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; 5.34 + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { 5.35 +- if (symMap->offset != 0) { 5.36 +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; 5.37 +- nSyms += nSymsThisKey; 5.38 +- } 5.39 ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; 5.40 ++ if (nSymsThisKey == 0) 5.41 ++ continue; 5.42 ++ nSyms += nSymsThisKey; 5.43 + } 5.44 + len += nSyms * 4; 5.45 + rep->totalSyms = nSyms; 5.46 +-- 5.47 +GitLab 5.48 +
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2 +++ b/xorg-server/stuff/CVE-2025-26597.patch Thu Feb 27 11:19:43 2025 +0000 6.3 @@ -0,0 +1,42 @@ 6.4 +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 6.5 +From: Olivier Fourdan <ofourdan@redhat.com> 6.6 +Date: Thu, 28 Nov 2024 14:09:04 +0100 6.7 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() 6.8 + 6.9 +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the 6.10 +key syms to 0 but leave the key actions unchanged. 6.11 + 6.12 +If later, the same function is called with a non-zero value for nGroups, 6.13 +this will cause a buffer overflow because the key actions are of the wrong 6.14 +size. 6.15 + 6.16 +To avoid the issue, make sure to resize both the key syms and key actions 6.17 +when nGroups is 0. 6.18 + 6.19 +CVE-2025-26597, ZDI-CAN-25683 6.20 + 6.21 +This vulnerability was discovered by: 6.22 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 6.23 + 6.24 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 6.25 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 6.26 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 6.27 +--- 6.28 + xkb/XKBMisc.c | 1 + 6.29 + 1 file changed, 1 insertion(+) 6.30 + 6.31 +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c 6.32 +index abbfed90eb..fd180fad2c 100644 6.33 +--- a/xkb/XKBMisc.c 6.34 ++++ b/xkb/XKBMisc.c 6.35 +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, 6.36 + i = XkbSetNumGroups(i, 0); 6.37 + xkb->map->key_sym_map[key].group_info = i; 6.38 + XkbResizeKeySyms(xkb, key, 0); 6.39 ++ XkbResizeKeyActions(xkb, key, 0); 6.40 + return Success; 6.41 + } 6.42 + 6.43 +-- 6.44 +GitLab 6.45 +
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 7.2 +++ b/xorg-server/stuff/CVE-2025-26598.patch Thu Feb 27 11:19:43 2025 +0000 7.3 @@ -0,0 +1,116 @@ 7.4 +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 7.5 +From: Olivier Fourdan <ofourdan@redhat.com> 7.6 +Date: Mon, 16 Dec 2024 11:25:11 +0100 7.7 +Subject: [PATCH] Xi: Fix barrier device search 7.8 + 7.9 +The function GetBarrierDevice() would search for the pointer device 7.10 +based on its device id and return the matching value, or supposedly NULL 7.11 +if no match was found. 7.12 + 7.13 +Unfortunately, as written, it would return the last element of the list 7.14 +if no matching device id was found which can lead to out of bounds 7.15 +memory access. 7.16 + 7.17 +Fix the search function to return NULL if not matching device is found, 7.18 +and adjust the callers to handle the case where the device cannot be 7.19 +found. 7.20 + 7.21 +CVE-2025-26598, ZDI-CAN-25740 7.22 + 7.23 +This vulnerability was discovered by: 7.24 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 7.25 + 7.26 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 7.27 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 7.28 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 7.29 +--- 7.30 + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- 7.31 + 1 file changed, 23 insertions(+), 4 deletions(-) 7.32 + 7.33 +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c 7.34 +index 700b2b8c53..6761bcb49a 100644 7.35 +--- a/Xi/xibarriers.c 7.36 ++++ b/Xi/xibarriers.c 7.37 +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) 7.38 + 7.39 + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) 7.40 + { 7.41 +- struct PointerBarrierDevice *pbd = NULL; 7.42 ++ struct PointerBarrierDevice *p, *pbd = NULL; 7.43 + 7.44 +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { 7.45 +- if (pbd->deviceid == deviceid) 7.46 ++ xorg_list_for_each_entry(p, &c->per_device, entry) { 7.47 ++ if (p->deviceid == deviceid) { 7.48 ++ pbd = p; 7.49 + break; 7.50 ++ } 7.51 + } 7.52 + 7.53 +- BUG_WARN(!pbd); 7.54 + return pbd; 7.55 + } 7.56 + 7.57 +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, 7.58 + double distance; 7.59 + 7.60 + pbd = GetBarrierDevice(c, dev->id); 7.61 ++ if (!pbd) 7.62 ++ continue; 7.63 ++ 7.64 + if (pbd->seen) 7.65 + continue; 7.66 + 7.67 +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, 7.68 + nearest = &c->barrier; 7.69 + 7.70 + pbd = GetBarrierDevice(c, master->id); 7.71 ++ if (!pbd) 7.72 ++ continue; 7.73 ++ 7.74 + new_sequence = !pbd->hit; 7.75 + 7.76 + pbd->seen = TRUE; 7.77 +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, 7.78 + int flags = 0; 7.79 + 7.80 + pbd = GetBarrierDevice(c, master->id); 7.81 ++ if (!pbd) 7.82 ++ continue; 7.83 ++ 7.84 + pbd->seen = FALSE; 7.85 + if (!pbd->hit) 7.86 + continue; 7.87 +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) 7.88 + continue; 7.89 + 7.90 + pbd = GetBarrierDevice(c, dev->id); 7.91 ++ if (!pbd) 7.92 ++ continue; 7.93 ++ 7.94 + if (!pbd->hit) 7.95 + continue; 7.96 + 7.97 +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) 7.98 + barrier = container_of(b, struct PointerBarrierClient, barrier); 7.99 + 7.100 + pbd = GetBarrierDevice(barrier, *deviceid); 7.101 ++ if (!pbd) 7.102 ++ return; 7.103 + 7.104 + if (pbd->hit) { 7.105 + BarrierEvent ev = { 7.106 +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) 7.107 + barrier = container_of(b, struct PointerBarrierClient, barrier); 7.108 + 7.109 + pbd = GetBarrierDevice(barrier, dev->id); 7.110 ++ if (!pbd) { 7.111 ++ client->errorValue = dev->id; 7.112 ++ return BadDevice; 7.113 ++ } 7.114 + 7.115 + if (pbd->barrier_event_id == event_id) 7.116 + pbd->release_event_id = event_id; 7.117 +-- 7.118 +GitLab 7.119 +
8.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 8.2 +++ b/xorg-server/stuff/CVE-2025-26599.01.patch Thu Feb 27 11:19:43 2025 +0000 8.3 @@ -0,0 +1,57 @@ 8.4 +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 8.5 +From: Olivier Fourdan <ofourdan@redhat.com> 8.6 +Date: Tue, 17 Dec 2024 15:19:45 +0100 8.7 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() 8.8 + 8.9 +The function compCheckRedirect() may fail if it cannot allocate the 8.10 +backing pixmap. 8.11 + 8.12 +In that case, compRedirectWindow() will return a BadAlloc error. 8.13 + 8.14 +However that failure code path will shortcut the validation of the 8.15 +window tree marked just before, which leaves the validate data partly 8.16 +initialized. 8.17 + 8.18 +That causes a use of uninitialized pointer later. 8.19 + 8.20 +The fix is to not shortcut the call to compHandleMarkedWindows() even in 8.21 +the case of compCheckRedirect() returning an error. 8.22 + 8.23 +CVE-2025-26599, ZDI-CAN-25851 8.24 + 8.25 +This vulnerability was discovered by: 8.26 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 8.27 + 8.28 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 8.29 +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> 8.30 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 8.31 +--- 8.32 + composite/compalloc.c | 5 +++-- 8.33 + 1 file changed, 3 insertions(+), 2 deletions(-) 8.34 + 8.35 +--- ./composite/compalloc.c.orig 2021-12-15 13:01:24.000000000 -0600 8.36 ++++ ./composite/compalloc.c 2025-02-25 13:28:19.072720443 -0600 8.37 +@@ -138,6 +138,7 @@ 8.38 + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); 8.39 + WindowPtr pLayerWin; 8.40 + Bool anyMarked = FALSE; 8.41 ++ int status = Success; 8.42 + 8.43 + if (pWin == cs->pOverlayWin) { 8.44 + return Success; 8.45 +@@ -216,13 +217,13 @@ 8.46 + 8.47 + if (!compCheckRedirect(pWin)) { 8.48 + FreeResource(ccw->id, RT_NONE); 8.49 +- return BadAlloc; 8.50 ++ status =BadAlloc; 8.51 + } 8.52 + 8.53 + if (anyMarked) 8.54 + compHandleMarkedWindows(pWin, pLayerWin); 8.55 + 8.56 +- return Success; 8.57 ++ return status; 8.58 + } 8.59 + 8.60 + void
9.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 9.2 +++ b/xorg-server/stuff/CVE-2025-26599.02.patch Thu Feb 27 11:19:43 2025 +0000 9.3 @@ -0,0 +1,125 @@ 9.4 +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 9.5 +From: Olivier Fourdan <ofourdan@redhat.com> 9.6 +Date: Mon, 13 Jan 2025 16:09:43 +0100 9.7 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc 9.8 + fails 9.9 + 9.10 +If it fails to allocate the pixmap, the function compAllocPixmap() would 9.11 +return early and leave the borderClip region uninitialized, which may 9.12 +lead to the use of uninitialized value as reported by valgrind: 9.13 + 9.14 + Conditional jump or move depends on uninitialised value(s) 9.15 + at 0x4F9B33: compClipNotify (compwindow.c:317) 9.16 + by 0x484FC9: miComputeClips (mivaltree.c:476) 9.17 + by 0x48559A: miValidateTree (mivaltree.c:679) 9.18 + by 0x4F0685: MapWindow (window.c:2693) 9.19 + by 0x4A344A: ProcMapWindow (dispatch.c:922) 9.20 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.21 + by 0x4B082A: dix_main (main.c:282) 9.22 + by 0x429233: main (stubmain.c:34) 9.23 + Uninitialised value was created by a heap allocation 9.24 + at 0x4841866: malloc (vg_replace_malloc.c:446) 9.25 + by 0x4F47BC: compRedirectWindow (compalloc.c:171) 9.26 + by 0x4FA8AD: compCreateWindow (compwindow.c:592) 9.27 + by 0x4EBB89: CreateWindow (window.c:925) 9.28 + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) 9.29 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.30 + by 0x4B082A: dix_main (main.c:282) 9.31 + by 0x429233: main (stubmain.c:34) 9.32 + 9.33 + Conditional jump or move depends on uninitialised value(s) 9.34 + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) 9.35 + by 0x4F9255: RegionTranslate (regionstr.h:312) 9.36 + by 0x4F9B7E: compClipNotify (compwindow.c:319) 9.37 + by 0x484FC9: miComputeClips (mivaltree.c:476) 9.38 + by 0x48559A: miValidateTree (mivaltree.c:679) 9.39 + by 0x4F0685: MapWindow (window.c:2693) 9.40 + by 0x4A344A: ProcMapWindow (dispatch.c:922) 9.41 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.42 + by 0x4B082A: dix_main (main.c:282) 9.43 + by 0x429233: main (stubmain.c:34) 9.44 + Uninitialised value was created by a heap allocation 9.45 + at 0x4841866: malloc (vg_replace_malloc.c:446) 9.46 + by 0x4F47BC: compRedirectWindow (compalloc.c:171) 9.47 + by 0x4FA8AD: compCreateWindow (compwindow.c:592) 9.48 + by 0x4EBB89: CreateWindow (window.c:925) 9.49 + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) 9.50 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.51 + by 0x4B082A: dix_main (main.c:282) 9.52 + by 0x429233: main (stubmain.c:34) 9.53 + 9.54 + Conditional jump or move depends on uninitialised value(s) 9.55 + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) 9.56 + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) 9.57 + by 0x4F9255: RegionTranslate (regionstr.h:312) 9.58 + by 0x4F9B7E: compClipNotify (compwindow.c:319) 9.59 + by 0x484FC9: miComputeClips (mivaltree.c:476) 9.60 + by 0x48559A: miValidateTree (mivaltree.c:679) 9.61 + by 0x4F0685: MapWindow (window.c:2693) 9.62 + by 0x4A344A: ProcMapWindow (dispatch.c:922) 9.63 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.64 + by 0x4B082A: dix_main (main.c:282) 9.65 + by 0x429233: main (stubmain.c:34) 9.66 + Uninitialised value was created by a heap allocation 9.67 + at 0x4841866: malloc (vg_replace_malloc.c:446) 9.68 + by 0x4F47BC: compRedirectWindow (compalloc.c:171) 9.69 + by 0x4FA8AD: compCreateWindow (compwindow.c:592) 9.70 + by 0x4EBB89: CreateWindow (window.c:925) 9.71 + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) 9.72 + by 0x4A25B5: Dispatch (dispatch.c:560) 9.73 + by 0x4B082A: dix_main (main.c:282) 9.74 + by 0x429233: main (stubmain.c:34) 9.75 + 9.76 +Fix compAllocPixmap() to initialize the border clip even if the creation 9.77 +of the backing pixmap has failed, to avoid depending later on 9.78 +uninitialized border clip values. 9.79 + 9.80 +Related to CVE-2025-26599, ZDI-CAN-25851 9.81 + 9.82 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 9.83 +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> 9.84 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 9.85 +--- 9.86 + composite/compalloc.c | 11 ++++++++--- 9.87 + 1 file changed, 8 insertions(+), 3 deletions(-) 9.88 + 9.89 +diff --git a/composite/compalloc.c b/composite/compalloc.c 9.90 +index 7cf7351e00..4a1243170d 100644 9.91 +--- a/composite/compalloc.c 9.92 ++++ b/composite/compalloc.c 9.93 +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) 9.94 + int h = pWin->drawable.height + (bw << 1); 9.95 + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); 9.96 + CompWindowPtr cw = GetCompWindow(pWin); 9.97 ++ Bool status; 9.98 + 9.99 +- if (!pPixmap) 9.100 +- return FALSE; 9.101 ++ if (!pPixmap) { 9.102 ++ status = FALSE; 9.103 ++ goto out; 9.104 ++ } 9.105 + if (cw->update == CompositeRedirectAutomatic) 9.106 + pWin->redirectDraw = RedirectDrawAutomatic; 9.107 + else 9.108 +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) 9.109 + DamageRegister(&pWin->drawable, cw->damage); 9.110 + cw->damageRegistered = TRUE; 9.111 + } 9.112 ++ status = TRUE; 9.113 + 9.114 ++out: 9.115 + /* Make sure our borderClip is up to date */ 9.116 + RegionUninit(&cw->borderClip); 9.117 + RegionCopy(&cw->borderClip, &pWin->borderClip); 9.118 + cw->borderClipX = pWin->drawable.x; 9.119 + cw->borderClipY = pWin->drawable.y; 9.120 + 9.121 +- return TRUE; 9.122 ++ return status; 9.123 + } 9.124 + 9.125 + void 9.126 +-- 9.127 +GitLab 9.128 +
10.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 10.2 +++ b/xorg-server/stuff/CVE-2025-26600.patch Thu Feb 27 11:19:43 2025 +0000 10.3 @@ -0,0 +1,64 @@ 10.4 +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 10.5 +From: Olivier Fourdan <ofourdan@redhat.com> 10.6 +Date: Mon, 16 Dec 2024 16:18:04 +0100 10.7 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal 10.8 + 10.9 +When a device is removed while still frozen, the events queued for that 10.10 +device remain while the device itself is freed. 10.11 + 10.12 +As a result, replaying the events will cause a use after free. 10.13 + 10.14 +To avoid the issue, make sure to dequeue and free any pending events on 10.15 +a frozen device when removed. 10.16 + 10.17 +CVE-2025-26600, ZDI-CAN-25871 10.18 + 10.19 +This vulnerability was discovered by: 10.20 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 10.21 + 10.22 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 10.23 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 10.24 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 10.25 +--- 10.26 + dix/devices.c | 18 ++++++++++++++++++ 10.27 + 1 file changed, 18 insertions(+) 10.28 + 10.29 +diff --git a/dix/devices.c b/dix/devices.c 10.30 +index 3074662a66..3103647308 100644 10.31 +--- a/dix/devices.c 10.32 ++++ b/dix/devices.c 10.33 +@@ -981,6 +981,23 @@ FreeAllDeviceClasses(ClassesPtr classes) 10.34 + 10.35 + } 10.36 + 10.37 ++static void 10.38 ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) 10.39 ++{ 10.40 ++ QdEventPtr qe, tmp; 10.41 ++ 10.42 ++ if (!dev->deviceGrab.sync.frozen) 10.43 ++ return; 10.44 ++ 10.45 ++ /* Dequeue any frozen pending events */ 10.46 ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { 10.47 ++ if (qe->device == dev) { 10.48 ++ xorg_list_del(&qe->next); 10.49 ++ free(qe); 10.50 ++ } 10.51 ++ } 10.52 ++} 10.53 ++ 10.54 + /** 10.55 + * Close down a device and free all resources. 10.56 + * Once closed down, the driver will probably not expect you that you'll ever 10.57 +@@ -1044,6 +1061,7 @@ CloseDevice(DeviceIntPtr dev) 10.58 + valuator_mask_free(&dev->last.touches[j].valuators); 10.59 + free(dev->last.touches); 10.60 + dev->config_info = NULL; 10.61 ++ FreePendingFrozenDeviceEvents(dev); 10.62 + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); 10.63 + free(dev); 10.64 + } 10.65 +-- 10.66 +GitLab 10.67 +
11.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 11.2 +++ b/xorg-server/stuff/CVE-2025-26601.01.patch Thu Feb 27 11:19:43 2025 +0000 11.3 @@ -0,0 +1,67 @@ 11.4 +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 11.5 +From: Olivier Fourdan <ofourdan@redhat.com> 11.6 +Date: Mon, 20 Jan 2025 16:52:01 +0100 11.7 +Subject: [PATCH] sync: Do not let sync objects uninitialized 11.8 + 11.9 +When changing an alarm, the change mask values are evaluated one after 11.10 +the other, changing the trigger values as requested and eventually, 11.11 +SyncInitTrigger() is called. 11.12 + 11.13 +SyncInitTrigger() will evaluate the XSyncCACounter first and may free 11.14 +the existing sync object. 11.15 + 11.16 +Other changes are then evaluated and may trigger an error and an early 11.17 +return, not adding the new sync object. 11.18 + 11.19 +This can be used to cause a use after free when the alarm eventually 11.20 +triggers. 11.21 + 11.22 +To avoid the issue, delete the existing sync object as late as possible 11.23 +only once we are sure that no further error will cause an early exit. 11.24 + 11.25 +CVE-2025-26601, ZDI-CAN-25870 11.26 + 11.27 +This vulnerability was discovered by: 11.28 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 11.29 + 11.30 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 11.31 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 11.32 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 11.33 +--- 11.34 + Xext/sync.c | 13 ++++++++----- 11.35 + 1 file changed, 8 insertions(+), 5 deletions(-) 11.36 + 11.37 +diff --git a/Xext/sync.c b/Xext/sync.c 11.38 +index ee0010e657..585cfa6f68 100644 11.39 +--- a/Xext/sync.c 11.40 ++++ b/Xext/sync.c 11.41 +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, 11.42 + client->errorValue = syncObject; 11.43 + return rc; 11.44 + } 11.45 +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ 11.46 +- SyncDeleteTriggerFromSyncObject(pTrigger); 11.47 +- pTrigger->pSync = pSync; 11.48 +- newSyncObject = TRUE; 11.49 +- } 11.50 + } 11.51 + 11.52 + /* if system counter, ask it what the current value is */ 11.53 +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, 11.54 + } 11.55 + } 11.56 + 11.57 ++ if (changes & XSyncCACounter) { 11.58 ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ 11.59 ++ SyncDeleteTriggerFromSyncObject(pTrigger); 11.60 ++ pTrigger->pSync = pSync; 11.61 ++ newSyncObject = TRUE; 11.62 ++ } 11.63 ++ } 11.64 ++ 11.65 + /* we wait until we're sure there are no errors before registering 11.66 + * a new counter on a trigger 11.67 + */ 11.68 +-- 11.69 +GitLab 11.70 +
12.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 12.2 +++ b/xorg-server/stuff/CVE-2025-26601.02.patch Thu Feb 27 11:19:43 2025 +0000 12.3 @@ -0,0 +1,81 @@ 12.4 +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 12.5 +From: Olivier Fourdan <ofourdan@redhat.com> 12.6 +Date: Mon, 20 Jan 2025 16:54:30 +0100 12.7 +Subject: [PATCH] sync: Check values before applying changes 12.8 + 12.9 +In SyncInitTrigger(), we would set the CheckTrigger function before 12.10 +validating the counter value. 12.11 + 12.12 +As a result, if the counter value overflowed, we would leave the 12.13 +function SyncInitTrigger() with the CheckTrigger applied but without 12.14 +updating the trigger object. 12.15 + 12.16 +To avoid that issue, move the portion of code checking for the trigger 12.17 +check value before updating the CheckTrigger function. 12.18 + 12.19 +Related to CVE-2025-26601, ZDI-CAN-25870 12.20 + 12.21 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 12.22 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 12.23 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 12.24 +--- 12.25 + Xext/sync.c | 36 ++++++++++++++++++------------------ 12.26 + 1 file changed, 18 insertions(+), 18 deletions(-) 12.27 + 12.28 +diff --git a/Xext/sync.c b/Xext/sync.c 12.29 +index 585cfa6f68..10302160fb 100644 12.30 +--- a/Xext/sync.c 12.31 ++++ b/Xext/sync.c 12.32 +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, 12.33 + } 12.34 + } 12.35 + 12.36 ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { 12.37 ++ if (pTrigger->value_type == XSyncAbsolute) 12.38 ++ pTrigger->test_value = pTrigger->wait_value; 12.39 ++ else { /* relative */ 12.40 ++ Bool overflow; 12.41 ++ 12.42 ++ if (pCounter == NULL) 12.43 ++ return BadMatch; 12.44 ++ 12.45 ++ overflow = checked_int64_add(&pTrigger->test_value, 12.46 ++ pCounter->value, pTrigger->wait_value); 12.47 ++ if (overflow) { 12.48 ++ client->errorValue = pTrigger->wait_value >> 32; 12.49 ++ return BadValue; 12.50 ++ } 12.51 ++ } 12.52 ++ } 12.53 ++ 12.54 + if (changes & XSyncCATestType) { 12.55 + 12.56 + if (pSync && SYNC_FENCE == pSync->type) { 12.57 +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, 12.58 + } 12.59 + } 12.60 + 12.61 +- if (changes & (XSyncCAValueType | XSyncCAValue)) { 12.62 +- if (pTrigger->value_type == XSyncAbsolute) 12.63 +- pTrigger->test_value = pTrigger->wait_value; 12.64 +- else { /* relative */ 12.65 +- Bool overflow; 12.66 +- 12.67 +- if (pCounter == NULL) 12.68 +- return BadMatch; 12.69 +- 12.70 +- overflow = checked_int64_add(&pTrigger->test_value, 12.71 +- pCounter->value, pTrigger->wait_value); 12.72 +- if (overflow) { 12.73 +- client->errorValue = pTrigger->wait_value >> 32; 12.74 +- return BadValue; 12.75 +- } 12.76 +- } 12.77 +- } 12.78 +- 12.79 + if (changes & XSyncCACounter) { 12.80 + if (pSync != pTrigger->pSync) { /* new counter for trigger */ 12.81 + SyncDeleteTriggerFromSyncObject(pTrigger); 12.82 +-- 12.83 +GitLab 12.84 +
13.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 13.2 +++ b/xorg-server/stuff/CVE-2025-26601.03.patch Thu Feb 27 11:19:43 2025 +0000 13.3 @@ -0,0 +1,48 @@ 13.4 +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 13.5 +From: Olivier Fourdan <ofourdan@redhat.com> 13.6 +Date: Mon, 20 Jan 2025 17:06:07 +0100 13.7 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() 13.8 + 13.9 +We do not want to return a failure at the very last step in 13.10 +SyncInitTrigger() after having all changes applied. 13.11 + 13.12 +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the 13.13 +allocation of the SyncTriggerList fails, trigger a FatalError() instead. 13.14 + 13.15 +Related to CVE-2025-26601, ZDI-CAN-25870 13.16 + 13.17 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 13.18 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 13.19 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 13.20 +--- 13.21 + Xext/sync.c | 7 +++---- 13.22 + 1 file changed, 3 insertions(+), 4 deletions(-) 13.23 + 13.24 +diff --git a/Xext/sync.c b/Xext/sync.c 13.25 +index 10302160fb..65f2d43780 100644 13.26 +--- a/Xext/sync.c 13.27 ++++ b/Xext/sync.c 13.28 +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) 13.29 + return Success; 13.30 + } 13.31 + 13.32 +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) 13.33 +- return BadAlloc; 13.34 ++ /* Failure is not an option, it's succeed or burst! */ 13.35 ++ pCur = XNFalloc(sizeof(SyncTriggerList)); 13.36 + 13.37 + pCur->pTrigger = pTrigger; 13.38 + pCur->next = pTrigger->pSync->pTriglist; 13.39 +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, 13.40 + * a new counter on a trigger 13.41 + */ 13.42 + if (newSyncObject) { 13.43 +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) 13.44 +- return rc; 13.45 ++ SyncAddTriggerToSyncObject(pTrigger); 13.46 + } 13.47 + else if (pCounter && IsSystemCounter(pCounter)) { 13.48 + SyncComputeBracketValues(pCounter); 13.49 +-- 13.50 +GitLab 13.51 +
14.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 14.2 +++ b/xorg-server/stuff/CVE-2025-26601.04.patch Thu Feb 27 11:19:43 2025 +0000 14.3 @@ -0,0 +1,128 @@ 14.4 +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 14.5 +From: Olivier Fourdan <ofourdan@redhat.com> 14.6 +Date: Mon, 20 Jan 2025 17:10:31 +0100 14.7 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() 14.8 + 14.9 +SyncChangeAlarmAttributes() would apply the various changes while 14.10 +checking for errors. 14.11 + 14.12 +If one of the changes triggers an error, the changes for the trigger, 14.13 +counter or delta value would remain, possibly leading to inconsistent 14.14 +changes. 14.15 + 14.16 +Postpone the actual changes until we're sure nothing else can go wrong. 14.17 + 14.18 +Related to CVE-2025-26601, ZDI-CAN-25870 14.19 + 14.20 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 14.21 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 14.22 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> 14.23 +--- 14.24 + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- 14.25 + 1 file changed, 27 insertions(+), 15 deletions(-) 14.26 + 14.27 +diff --git a/Xext/sync.c b/Xext/sync.c 14.28 +index 65f2d43780..cab73be927 100644 14.29 +--- a/Xext/sync.c 14.30 ++++ b/Xext/sync.c 14.31 +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, 14.32 + int status; 14.33 + XSyncCounter counter; 14.34 + Mask origmask = mask; 14.35 ++ SyncTrigger trigger; 14.36 ++ Bool select_events_changed = FALSE; 14.37 ++ Bool select_events_value = FALSE; 14.38 ++ int64_t delta; 14.39 + 14.40 +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; 14.41 ++ trigger = pAlarm->trigger; 14.42 ++ delta = pAlarm->delta; 14.43 ++ counter = trigger.pSync ? trigger.pSync->id : None; 14.44 + 14.45 + while (mask) { 14.46 + int index2 = lowbit(mask); 14.47 +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, 14.48 + case XSyncCAValueType: 14.49 + mask &= ~XSyncCAValueType; 14.50 + /* sanity check in SyncInitTrigger */ 14.51 +- pAlarm->trigger.value_type = *values++; 14.52 ++ trigger.value_type = *values++; 14.53 + break; 14.54 + 14.55 + case XSyncCAValue: 14.56 + mask &= ~XSyncCAValue; 14.57 +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; 14.58 ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; 14.59 + values += 2; 14.60 + break; 14.61 + 14.62 + case XSyncCATestType: 14.63 + mask &= ~XSyncCATestType; 14.64 + /* sanity check in SyncInitTrigger */ 14.65 +- pAlarm->trigger.test_type = *values++; 14.66 ++ trigger.test_type = *values++; 14.67 + break; 14.68 + 14.69 + case XSyncCADelta: 14.70 + mask &= ~XSyncCADelta; 14.71 +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; 14.72 ++ delta = ((int64_t)values[0] << 32) | values[1]; 14.73 + values += 2; 14.74 + break; 14.75 + 14.76 +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, 14.77 + client->errorValue = *values; 14.78 + return BadValue; 14.79 + } 14.80 +- status = SyncEventSelectForAlarm(pAlarm, client, 14.81 +- (Bool) (*values++)); 14.82 +- if (status != Success) 14.83 +- return status; 14.84 ++ select_events_value = (Bool) (*values++); 14.85 ++ select_events_changed = TRUE; 14.86 + break; 14.87 + 14.88 + default: 14.89 +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, 14.90 + } 14.91 + } 14.92 + 14.93 ++ if (select_events_changed) { 14.94 ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); 14.95 ++ if (status != Success) 14.96 ++ return status; 14.97 ++ } 14.98 ++ 14.99 + /* "If the test-type is PositiveComparison or PositiveTransition 14.100 + * and delta is less than zero, or if the test-type is 14.101 + * NegativeComparison or NegativeTransition and delta is 14.102 + * greater than zero, a Match error is generated." 14.103 + */ 14.104 + if (origmask & (XSyncCADelta | XSyncCATestType)) { 14.105 +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || 14.106 +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) 14.107 +- && pAlarm->delta < 0) 14.108 ++ if ((((trigger.test_type == XSyncPositiveComparison) || 14.109 ++ (trigger.test_type == XSyncPositiveTransition)) 14.110 ++ && delta < 0) 14.111 + || 14.112 +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || 14.113 +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) 14.114 +- && pAlarm->delta > 0) 14.115 ++ (((trigger.test_type == XSyncNegativeComparison) || 14.116 ++ (trigger.test_type == XSyncNegativeTransition)) 14.117 ++ && delta > 0) 14.118 + ) { 14.119 + return BadMatch; 14.120 + } 14.121 + } 14.122 + 14.123 + /* postpone this until now, when we're sure nothing else can go wrong */ 14.124 ++ pAlarm->delta = delta; 14.125 ++ pAlarm->trigger = trigger; 14.126 + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, 14.127 + origmask & XSyncCAAllTrigger)) != Success) 14.128 + return status; 14.129 +-- 14.130 +GitLab 14.131 +