frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply 

CVE-2024-31080

Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
(cherry picked from commit 96798fc196)
This commit is contained in:
Alan Coopersmith 2024-03-22 18:51:45 -07:00 committed by Povilas Kanapickas
parent 5ca3a95135
commit 8a7cd0e3ef
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Xi/xiselectev.c
View File

@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
InputClientsPtr others = NULL; InputClientsPtr others = NULL;
xXIEventMask *evmask = NULL; xXIEventMask *evmask = NULL;
DeviceIntPtr dev; DeviceIntPtr dev;
uint32_t length;
REQUEST(xXIGetSelectedEventsReq); REQUEST(xXIGetSelectedEventsReq);
REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
} }
} }
/* save the value before SRepXIGetSelectedEvents swaps it */
length = reply.length;
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
if (reply.num_masks) if (reply.num_masks)
WriteToClient(client, reply.length * 4, buffer); WriteToClient(client, length * 4, buffer);
free(buffer); free(buffer);
return Success; return Success;