diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2024-03-22 18:51:45 -0700 |
---|---|---|
committer | Povilas Kanapickas <povilas@radix.lt> | 2024-04-03 19:35:30 +0300 |
commit | 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5 (patch) | |
tree | bde285701f2504dfce2a139f38eea1680f5f636c /Xi | |
parent | 5ca3a95135d9c89753e2af19da5a2615ea2be1c3 (diff) |
Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply
CVE-2024-31080
Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
Diffstat (limited to 'Xi')
-rw-r--r-- | Xi/xiselectev.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c index edcb8a0d3..ac1494987 100644 --- a/Xi/xiselectev.c +++ b/Xi/xiselectev.c @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) InputClientsPtr others = NULL; xXIEventMask *evmask = NULL; DeviceIntPtr dev; + uint32_t length; REQUEST(xXIGetSelectedEventsReq); REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) } } + /* save the value before SRepXIGetSelectedEvents swaps it */ + length = reply.length; WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); if (reply.num_masks) - WriteToClient(client, reply.length * 4, buffer); + WriteToClient(client, length * 4, buffer); free(buffer); return Success; |