Module Name: xsrc
Committed By: mrg
Date: Sun Nov 3 00:55:32 UTC 2024
Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xi: xipassivegrab.c
Log Message:
apply upstream change 3e77295f888c67fc7645db5d0c00926a29ffecee
Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
send reply
CVE-2024-31081
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/xipassivegrab.c Sun Nov 3 00:55:32 2024
@@ -92,6 +92,7 @@ ProcXIPassiveGrabDevice(ClientPtr client
void *tmp;
int mask_len;
int n;
+ uint32_t length;
REQUEST(xXIPassiveGrabDeviceReq);
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -218,9 +219,11 @@ ProcXIPassiveGrabDevice(ClientPtr client
}
}
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
+ length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
- WriteToClient(client, rep.length * 4, (char*)modifiers_failed);
+ WriteToClient(client, length * 4, (char*)modifiers_failed);
free(modifiers_failed);
return ret;
