frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply 

CVE-2024-31082

Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
(cherry picked from commit 6c684d035c)
This commit is contained in:
Alan Coopersmith 2024-03-22 19:07:34 -07:00 committed by Povilas Kanapickas
parent cea92ca78f
commit 0e34d8ebc9
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hw/xquartz/xpr/appledri.c
View File

@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
xAppleDRICreatePixmapReply rep; xAppleDRICreatePixmapReply rep;
int width, height, pitch, bpp; int width, height, pitch, bpp;
void *ptr; void *ptr;
CARD32 stringLength;
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
stringLength = rep.stringLength; /* save unswapped value */
if (client->swapped) { if (client->swapped) {
swaps(&rep.sequenceNumber); swaps(&rep.sequenceNumber);
swapl(&rep.length); swapl(&rep.length);
@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
} }
WriteToClient(client, sizeof(rep), &rep); WriteToClient(client, sizeof(rep), &rep);
WriteToClient(client, rep.stringLength, path); WriteToClient(client, stringLength, path);
return Success; return Success;
} }