|
|
6996b1 |
From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
|
|
|
6996b1 |
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
6996b1 |
Date: Fri, 22 Mar 2024 19:07:34 -0700
|
|
|
6996b1 |
Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
|
|
|
6996b1 |
length to send reply
|
|
|
6996b1 |
|
|
|
6996b1 |
CVE-2024-31082
|
|
|
6996b1 |
|
|
|
6996b1 |
Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
|
|
|
6996b1 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
6996b1 |
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
|
|
6996b1 |
---
|
|
|
6996b1 |
hw/xquartz/xpr/appledri.c | 4 +++-
|
|
|
6996b1 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
6996b1 |
|
|
|
6996b1 |
diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
|
|
|
6996b1 |
index 77574655b..40422b61a 100644
|
|
|
6996b1 |
--- a/hw/xquartz/xpr/appledri.c
|
|
|
6996b1 |
+++ b/hw/xquartz/xpr/appledri.c
|
|
|
6996b1 |
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
|
|
6996b1 |
xAppleDRICreatePixmapReply rep;
|
|
|
6996b1 |
int width, height, pitch, bpp;
|
|
|
6996b1 |
void *ptr;
|
|
|
6996b1 |
+ CARD32 stringLength;
|
|
|
6996b1 |
|
|
|
6996b1 |
REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
|
|
|
6996b1 |
|
|
|
6996b1 |
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
|
|
6996b1 |
if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
|
|
|
6996b1 |
ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
|
|
|
6996b1 |
|
|
|
6996b1 |
+ stringLength = rep.stringLength; /* save unswapped value */
|
|
|
6996b1 |
if (client->swapped) {
|
|
|
6996b1 |
swaps(&rep.sequenceNumber);
|
|
|
6996b1 |
swapl(&rep.length);
|
|
|
6996b1 |
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
|
|
|
6996b1 |
}
|
|
|
6996b1 |
|
|
|
6996b1 |
WriteToClient(client, sizeof(rep), &rep;;
|
|
|
6996b1 |
- WriteToClient(client, rep.stringLength, path);
|
|
|
6996b1 |
+ WriteToClient(client, stringLength, path);
|
|
|
6996b1 |
|
|
|
6996b1 |
return Success;
|
|
|
6996b1 |
}
|
|
|
6996b1 |
--
|
|
|
6996b1 |
2.44.0
|
|
|
6996b1 |
|