fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-20 07:00:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply

Browse source 
CVE-2024-31082

Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
This commit is contained in:
Alan Coopersmith 2024-03-22 19:07:34 -07:00
parent 3e77295f88
commit 6c684d035c
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hw/xquartz/xpr/appledri.c
View file

@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
xAppleDRICreatePixmapReply rep; xAppleDRICreatePixmapReply rep;
int width, height, pitch, bpp; int width, height, pitch, bpp;
void *ptr; void *ptr;
CARD32 stringLength;
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
stringLength = rep.stringLength; /* save unswapped value */
if (client->swapped) { if (client->swapped) {
swaps(&rep.sequenceNumber); swaps(&rep.sequenceNumber);
swapl(&rep.length); swapl(&rep.length);
@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
} }
WriteToClient(client, sizeof(rep), &rep); WriteToClient(client, sizeof(rep), &rep);
WriteToClient(client, rep.stringLength, path); WriteToClient(client, stringLength, path);
return Success; return Success;
} }