Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply

CVE-2024-31081 Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> (cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2024-03-22 18:56:27 -0700
committer: Povilas Kanapickas <povilas@radix.lt> 2024-04-03 19:35:39 +0300
commit: cea92ca78f900bfb4c9a5540dfd631e065b9151b (patch)
tree: ef3488df3c4d9d8272d2c6c89beb05e883653070
parent: 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index c9ac2f855..896233bec 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabParameters param;
     void *tmp;
     int mask_len;
+    uint32_t length;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
     WriteReplyToClient(client, sizeof(rep), &rep);
     if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
 
  out:
     free(modifiers_failed);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2024-03-22 18:56:27 -0700
committer	Povilas Kanapickas <povilas@radix.lt>	2024-04-03 19:35:39 +0300
commit	cea92ca78f900bfb4c9a5540dfd631e065b9151b (patch)
tree	ef3488df3c4d9d8272d2c6c89beb05e883653070
parent	8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5 (diff)