From f3520016b2615a73f7a3729bfe21a1bbbeb583a7 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 11:39:09 +0200
Subject: [PATCH] (!1639) Xi: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xi/chgdctl.c    | 2 +-
 Xi/chgfctl.c    | 2 +-
 Xi/chgkmap.c    | 2 +-
 Xi/chgprop.c    | 2 +-
 Xi/getvers.c    | 2 +-
 Xi/grabdev.c    | 4 ++--
 Xi/grabdevb.c   | 2 +-
 Xi/grabdevk.c   | 2 +-
 Xi/selectev.c   | 2 +-
 Xi/sendexev.c   | 4 ++--
 Xi/setbmap.c    | 2 +-
 Xi/setdval.c    | 2 +-
 Xi/setmmap.c    | 2 +-
 Xi/xiallowev.c  | 2 +-
 Xi/xiselectev.c | 6 +++---
 15 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
index 4dd4799ad..ece8efbcc 100644
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@@ -118,7 +118,7 @@ ProcXChangeDeviceControl(ClientPtr client)
     REQUEST(xChangeDeviceControlReq);
     REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
 
-    len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeDeviceControlReq));
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
     if (ret != Success)
         goto out;
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 7a597e43d..00da2677c 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -438,7 +438,7 @@ ProcXChangeFeedbackControl(ClientPtr client)
     REQUEST(xChangeFeedbackControlReq);
     REQUEST_AT_LEAST_SIZE(xChangeFeedbackControlReq);
 
-    len = stuff->length - bytes_to_int32(sizeof(xChangeFeedbackControlReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeFeedbackControlReq));
     rc = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
     if (rc != Success)
         return rc;
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index 2940a2cb0..0e015b8c9 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -108,7 +108,7 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
     if (ret != Success)
         return ret;
-    len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceKeyMappingReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeDeviceKeyMappingReq));
 
     ret = ChangeKeyMapping(client, dev, len, DeviceMappingNotify,
                            stuff->firstKeyCode, stuff->keyCodes,
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index a97fab18d..718ea9358 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -104,7 +104,7 @@ ProcXChangeDeviceDontPropagateList(ClientPtr client)
     REQUEST(xChangeDeviceDontPropagateListReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xChangeDeviceDontPropagateListReq)) +
         stuff->count)
         return BadLength;
diff --git a/Xi/getvers.c b/Xi/getvers.c
index a56ff1684..b0dfb675a 100644
--- a/Xi/getvers.c
+++ b/Xi/getvers.c
@@ -94,7 +94,7 @@ ProcXGetExtensionVersion(ClientPtr client)
     REQUEST(xGetExtensionVersionReq);
     REQUEST_AT_LEAST_SIZE(xGetExtensionVersionReq);
 
-    if (stuff->length != bytes_to_int32(sizeof(xGetExtensionVersionReq) +
+    if (client->req_len != bytes_to_int32(sizeof(xGetExtensionVersionReq) +
                                         stuff->nbytes))
         return BadLength;
 
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index d26bea434..50e4564d7 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -84,7 +84,7 @@ SProcXGrabDevice(ClientPtr client)
     swapl(&stuff->time);
     swaps(&stuff->event_count);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xGrabDeviceReq)) + stuff->event_count)
         return BadLength;
 
@@ -111,7 +111,7 @@ ProcXGrabDevice(ClientPtr client)
     REQUEST(xGrabDeviceReq);
     REQUEST_AT_LEAST_SIZE(xGrabDeviceReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xGrabDeviceReq)) + stuff->event_count)
         return BadLength;
 
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index 344dc54a8..65eb0a9e2 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -108,7 +108,7 @@ ProcXGrabDeviceButton(ClientPtr client)
     REQUEST(xGrabDeviceButtonReq);
     REQUEST_AT_LEAST_SIZE(xGrabDeviceButtonReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xGrabDeviceButtonReq)) + stuff->event_count)
         return BadLength;
 
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index a230f7c3d..32d3b1cd3 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -106,7 +106,7 @@ ProcXGrabDeviceKey(ClientPtr client)
     REQUEST(xGrabDeviceKeyReq);
     REQUEST_AT_LEAST_SIZE(xGrabDeviceKeyReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xGrabDeviceKeyReq)) + stuff->event_count)
         return BadLength;
 
diff --git a/Xi/selectev.c b/Xi/selectev.c
index 378403d3b..d0c331350 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -150,7 +150,7 @@ ProcXSelectExtensionEvent(ClientPtr client)
     REQUEST(xSelectExtensionEventReq);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xSelectExtensionEventReq)) + stuff->count)
         return BadLength;
 
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 0f6b4e46a..767240449 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -89,7 +89,7 @@ SProcXSendExtensionEvent(ClientPtr client)
     swapl(&stuff->destination);
     swaps(&stuff->count);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xSendExtensionEventReq)) + stuff->count +
         bytes_to_int32(stuff->num_events * sizeof(xEvent)))
         return BadLength;
@@ -135,7 +135,7 @@ ProcXSendExtensionEvent(ClientPtr client)
     REQUEST(xSendExtensionEventReq);
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xSendExtensionEventReq)) + stuff->count +
         (stuff->num_events * bytes_to_int32(sizeof(xEvent))))
         return BadLength;
diff --git a/Xi/setbmap.c b/Xi/setbmap.c
index cad881b7a..9c110c231 100644
--- a/Xi/setbmap.c
+++ b/Xi/setbmap.c
@@ -94,7 +94,7 @@ ProcXSetDeviceButtonMapping(ClientPtr client)
     REQUEST(xSetDeviceButtonMappingReq);
     REQUEST_AT_LEAST_SIZE(xSetDeviceButtonMappingReq);
 
-    if (stuff->length !=
+    if (client->req_len !=
         bytes_to_int32(sizeof(xSetDeviceButtonMappingReq) + stuff->map_length))
         return BadLength;
 
diff --git a/Xi/setdval.c b/Xi/setdval.c
index 26dedfbf6..c69a13072 100644
--- a/Xi/setdval.c
+++ b/Xi/setdval.c
@@ -102,7 +102,7 @@ ProcXSetDeviceValuators(ClientPtr client)
         .status = Success
     };
 
-    if (stuff->length != bytes_to_int32(sizeof(xSetDeviceValuatorsReq)) +
+    if (client->req_len != bytes_to_int32(sizeof(xSetDeviceValuatorsReq)) +
         stuff->num_valuators)
         return BadLength;
 
diff --git a/Xi/setmmap.c b/Xi/setmmap.c
index 5adc7e9d5..0d593bfa6 100644
--- a/Xi/setmmap.c
+++ b/Xi/setmmap.c
@@ -96,7 +96,7 @@ ProcXSetDeviceModifierMapping(ClientPtr client)
     REQUEST(xSetDeviceModifierMappingReq);
     REQUEST_AT_LEAST_SIZE(xSetDeviceModifierMappingReq);
 
-    if (stuff->length != bytes_to_int32(sizeof(xSetDeviceModifierMappingReq)) +
+    if (client->req_len != bytes_to_int32(sizeof(xSetDeviceModifierMappingReq)) +
         (stuff->numKeyPerModifier << 1))
         return BadLength;
 
diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
index 23ad4c7ce..fd4cc35bc 100644
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@@ -56,7 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
     swapl(&stuff->time);
-    if (stuff->length > 3) {
+    if (client->req_len > 3) {
         xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
 
         REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index 6c6aff884..6d8133f3e 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -127,7 +127,7 @@ SProcXISelectEvents(ClientPtr client)
     swapl(&stuff->win);
     swaps(&stuff->num_masks);
 
-    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
+    len = client->req_len - bytes_to_int32(sizeof(xXISelectEventsReq));
     evmask = (xXIEventMask *) &stuff[1];
     for (i = 0; i < stuff->num_masks; i++) {
         if (len < bytes_to_int32(sizeof(xXIEventMask)))
@@ -174,7 +174,7 @@ ProcXISelectEvents(ClientPtr client)
     while (num_masks--) {
         len += sizeof(xXIEventMask) + evmask->mask_len * 4;
 
-        if (bytes_to_int32(len) > stuff->length)
+        if (bytes_to_int32(len) > client->req_len)
             return BadLength;
 
         if (evmask->deviceid != XIAllDevices &&
@@ -300,7 +300,7 @@ ProcXISelectEvents(ClientPtr client)
         evmask++;
     }
 
-    if (bytes_to_int32(len) != stuff->length)
+    if (bytes_to_int32(len) != client->req_len)
         return BadLength;
 
     /* Set masks on window */