From a1e44d3c4ff997772c695c578286e2735e17f445 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:05:36 +0200
Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode

The handler of XFixesSetClientDisconnectMode does not check the client
request length.

A client could send a shorter request and read data from a former
request.

Fix the issue by checking the request size matches.

CVE-2025-49177

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
---
 xfixes/disconnect.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c
index 8d52b50aa..fea2ab33a 100644
--- a/xfixes/disconnect.c
+++ b/xfixes/disconnect.c
@@ -66,6 +66,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client)
     ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
 
     REQUEST(xXFixesSetClientDisconnectModeReq);
+    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
 
     pDisconnect->disconnect_mode = stuff->disconnect_mode;
 
@@ -76,7 +77,7 @@ int _X_COLD
 SProcXFixesSetClientDisconnectMode(ClientPtr client)
 {
     REQUEST(xXFixesSetClientDisconnectModeReq);
-    REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
+    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
 
     swapl(&stuff->disconnect_mode);