I'm reasonably sure that, for most people, these are not real security bugs on their own. However, to be paranoid, I'm reporting them here first so people can verify; and it's entirely possible that in combination with other bugs they _could_ be real security problems. Both Xv and XI's dispatch code have the following pattern: if (stuff->data > xvNumRequests) { SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest); return BadRequest; } return XvProcVector[stuff->data](client); This is wrong, > should be >= and as a result you can dispatch one past the end of the mentioned function pointer array. On my machine (Linux, amd64, fairly typical linker and option setup) this isn't an issue, since the memory map looks like: % nm -an hw/xfree86/dixmods/extmod/.libs/libextmod.so | grep -A1 XvProcVector 00000000002228a0 d SXvProcVector 0000000000222940 d SwappedVector -- 00000000002247c0 d XvProcVector 0000000000224860 d ProcXvMCVector (SwappedVector belonging to the screensaver extension). So yes, you'd dispatch to something unexpected, but it's just another request proc, not system(). Similarly for XI: % nm -an hw/xfree86/Xorg | grep -A1 ProcIVector 00000000007c8aa0 d SProcIVector 00000000007c8ca0 d ProcIVector 00000000007c8e88 d .dynamic Here you would probably crash, since .dynamic is unlikely to be a useful function pointer.
Xv: http://cgit.freedesktop.org/xorg/xserver/commit/?id=41229392b790f30a0f0ef1f4ed95647c5bca4001 XInput: http://cgit.freedesktop.org/xorg/xserver/commit/?id=682c09a2cedd234b005334cc01247d859dd7f26a
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.