Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply

CVE-2024-31081 Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2024-03-22 18:56:27 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2024-04-02 19:19:40 -0700
commit: 3e77295f888c67fc7645db5d0c00926a29ffecee (patch)
tree: 08a3233de32a2f75b98be8a2e04a5f749e3a5e1b /Xi
parent: 96798fc1967491c80a4d0c8d9e0a80586cb2152b (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index c9ac2f855..896233bec 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabParameters param;
     void *tmp;
     int mask_len;
+    uint32_t length;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
     WriteReplyToClient(client, sizeof(rep), &rep);
     if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
 
  out:
     free(modifiers_failed);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2024-03-22 18:56:27 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2024-04-02 19:19:40 -0700
commit	3e77295f888c67fc7645db5d0c00926a29ffecee (patch)
tree	08a3233de32a2f75b98be8a2e04a5f749e3a5e1b /Xi
parent	96798fc1967491c80a4d0c8d9e0a80586cb2152b (diff)