Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply

CVE-2024-31082 Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies") Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> (cherry picked from commit 6c684d035c06fd41c727f0ef0744517580864cef)
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2024-03-22 19:07:34 -0700
committer: Povilas Kanapickas <povilas@radix.lt> 2024-04-03 19:35:46 +0300
commit: 0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3 (patch)
tree: 9b2a403f6fcd9e0b10bb661d77d59dc07b865cbb
parent: cea92ca78f900bfb4c9a5540dfd631e065b9151b (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
index 77574655b..40422b61a 100644
--- a/hw/xquartz/xpr/appledri.c
+++ b/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     xAppleDRICreatePixmapReply rep;
     int width, height, pitch, bpp;
     void *ptr;
+    CARD32 stringLength;
 
     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
 
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
 
+    stringLength = rep.stringLength;  /* save unswapped value */
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     }
 
     WriteToClient(client, sizeof(rep), &rep);
-    WriteToClient(client, rep.stringLength, path);
+    WriteToClient(client, stringLength, path);
 
     return Success;
 }
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2024-03-22 19:07:34 -0700
committer	Povilas Kanapickas <povilas@radix.lt>	2024-04-03 19:35:46 +0300
commit	0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3 (patch)
tree	9b2a403f6fcd9e0b10bb661d77d59dc07b865cbb
parent	cea92ca78f900bfb4c9a5540dfd631e065b9151b (diff)