diff options
authorOlivier Fourdan <>2023-03-13 11:08:47 +0100
committerOlivier Fourdan <>2023-03-29 13:34:11 +0200
commit26ef545b3502f61ca722a7a3373507e88ef64110 (patch)
parent6153c71cfb4698f1a416266564ecc748e4a25f2c (diff)
composite: Fix use-after-free of the COWHEADmaster
ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <> Reviewed-by: Adam Jackson <>
1 files changed, 5 insertions, 0 deletions
diff --git a/composite/compwindow.c b/composite/compwindow.c
index 4e2494b86..b30da589e 100644
--- a/composite/compwindow.c
+++ b/composite/compwindow.c
@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
ret = (*pScreen->DestroyWindow) (pWin);
cs->DestroyWindow = pScreen->DestroyWindow;
pScreen->DestroyWindow = compDestroyWindow;
+ /* Did we just destroy the overlay window? */
+ if (pWin == cs->pOverlayWin)
+ cs->pOverlayWin = NULL;
/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
return ret;