frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply 

CVE-2024-31081

Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
(cherry picked from commit 3e77295f88)
This commit is contained in:
Alan Coopersmith 2024-03-22 18:56:27 -07:00 committed by Povilas Kanapickas
parent 8a7cd0e3ef
commit cea92ca78f
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Xi/xipassivegrab.c
View File

@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
GrabParameters param;
void *tmp;
int mask_len;
uint32_t length;
REQUEST(xXIPassiveGrabDeviceReq);
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
}
}
/* save the value before SRepXIPassiveGrabDevice swaps it */
length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
WriteToClient(client, rep.length * 4, modifiers_failed);
WriteToClient(client, length * 4, modifiers_failed);
out:
free(modifiers_failed);