Need to use unswapped length to send reply in

ProcXIGetSelectedEvents() (CVE-2024-31080) and ProcXiPassiveGrabDevice() (CVE-2024-31081)
2025-12-10 03:08:56 +00:00 · 2024-04-03 16:26:45 +00:00
parent 6621640bea
commit a56b04ec0c
2 changed files with 26 additions and 6 deletions
--- a/xserver/Xi/xipassivegrab.c
+++ b/xserver/Xi/xipassivegrab.c
@@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client)
        }
    }

-    WriteReplyToClient(client, sizeof(rep), &rep);
-    if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+    if (client->swapped) {
+        /* save the value before SRepXIPassiveGrabDevice swaps it */
+        uint32_t length = rep.length;
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (length)
+            WriteToClient(client, length * 4, modifiers_failed);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (rep.num_modifiers)
+            WriteToClient(client, rep.length * 4, modifiers_failed);
+    }

 out:
    free(modifiers_failed);
--- a/xserver/Xi/xiselectev.c
+++ b/xserver/Xi/xiselectev.c
@@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client)
        }
    }

-    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+    if (client->swapped) {
+        /* save the value before SRepXIGetSelectedEvents swaps it */
+        uint32_t length = reply.length;

-    if (reply.num_masks)
-        WriteToClient(client, reply.length * 4, buffer);
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (length)
+            WriteToClient(client, length * 4, buffer);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (reply.num_masks)
+            WriteToClient(client, reply.length * 4, buffer);
+    }

    free(buffer);
    return Success;