File U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-nee... of Package xorg-x11-server.36288

Overview Repositories Revisions Requests Users Attributes Meta

File U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch of Package xorg-x11-server.36288

From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 18:56:27 -0700
Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
 to send reply

CVE-2024-31081

Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
 Xi/xipassivegrab.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: xorg-server-1.19.6/Xi/xipassivegrab.c
===================================================================
--- xorg-server-1.19.6.orig/Xi/xipassivegrab.c
+++ xorg-server-1.19.6/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client
     GrabParameters param;
     void *tmp;
     int mask_len;
+    uint32_t length;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -234,9 +235,11 @@ ProcXIPassiveGrabDevice(ClientPtr client
         }
     }
 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
     WriteReplyToClient(client, sizeof(rep), &rep);
     if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
 
     free(modifiers_failed);
  out:

Places

File U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch of Package xorg-x11-server.36288

Places