You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.5 KiB
48 lines
1.5 KiB
8 months ago
|
From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
|
||
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
Date: Fri, 22 Mar 2024 19:07:34 -0700
|
||
|
Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
|
||
|
length to send reply
|
||
|
|
||
|
CVE-2024-31082
|
||
|
|
||
|
Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
|
||
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
||
|
---
|
||
|
hw/xquartz/xpr/appledri.c | 4 +++-
|
||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
|
||
|
index 77574655b..40422b61a 100644
|
||
|
--- a/hw/xquartz/xpr/appledri.c
|
||
|
+++ b/hw/xquartz/xpr/appledri.c
|
||
|
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||
|
xAppleDRICreatePixmapReply rep;
|
||
|
int width, height, pitch, bpp;
|
||
|
void *ptr;
|
||
|
+ CARD32 stringLength;
|
||
|
|
||
|
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
|
||
|
|
||
|
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||
|
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
|
||
|
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
|
||
|
|
||
|
+ stringLength = rep.stringLength; /* save unswapped value */
|
||
|
if (client->swapped) {
|
||
|
swaps(&rep.sequenceNumber);
|
||
|
swapl(&rep.length);
|
||
|
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
||
|
}
|
||
|
|
||
|
WriteToClient(client, sizeof(rep), &rep);
|
||
|
- WriteToClient(client, rep.stringLength, path);
|
||
|
+ WriteToClient(client, stringLength, path);
|
||
|
|
||
|
return Success;
|
||
|
}
|
||
|
--
|
||
|
2.44.0
|
||
|
|