openbsd/xenocara
1
0
Fork 0
mirror of https://github.com/openbsd/xenocara.git synced 2025-12-10 11:19:04 +00:00
Code Issues Projects Releases Wiki Activity

Need to use unswapped length to send reply in

Browse Source 
ProcXIGetSelectedEvents() (CVE-2024-31080) and
ProcXiPassiveGrabDevice() (CVE-2024-31081)
This commit is contained in:
matthieu
2024-04-03 16:26:45 +00:00
parent 6621640bea
commit a56b04ec0c
2 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
xserver/Xi/xipassivegrab.c
View File

@@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client)
}
}
if (client->swapped) {
/* save the value before SRepXIPassiveGrabDevice swaps it */
uint32_t length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (length)
WriteToClient(client, length * 4, modifiers_failed);
}
else {
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
WriteToClient(client, rep.length * 4, modifiers_failed);
}
out:
free(modifiers_failed);

11
xserver/Xi/xiselectev.c
View File

@@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client)
}
}
if (client->swapped) {
/* save the value before SRepXIGetSelectedEvents swaps it */
uint32_t length = reply.length;
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
if (length)
WriteToClient(client, length * 4, buffer);
}
else {
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
if (reply.num_masks)
WriteToClient(client, reply.length * 4, buffer);
}
free(buffer);
return Success;