wok-current view xorg-server/stuff/CVE-2024-31082.patch @ rev 25695

Up linux 5.10.214, Patch xorg-server (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083)
author Stanislas Leduc <shann@slitaz.org>
date Thu Apr 04 08:53:51 2024 +0000 (7 weeks ago)
parents
children
line source
1 From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
3 Date: Fri, 22 Mar 2024 19:07:34 -0700
4 Subject: [PATCH] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
5 length to send reply
6
7 CVE-2024-31082
8
9 Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
10 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
11 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
12 ---
13 hw/xquartz/xpr/appledri.c | 4 +++-
14 1 file changed, 3 insertions(+), 1 deletion(-)
15
16 diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
17 index 77574655b2..40422b61a9 100644
18 --- a/hw/xquartz/xpr/appledri.c
19 +++ b/hw/xquartz/xpr/appledri.c
20 @@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
21 xAppleDRICreatePixmapReply rep;
22 int width, height, pitch, bpp;
23 void *ptr;
24 + CARD32 stringLength;
25
26 REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
27
28 @@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
29 if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
30 ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
31
32 + stringLength = rep.stringLength; /* save unswapped value */
33 if (client->swapped) {
34 swaps(&rep.sequenceNumber);
35 swapl(&rep.length);
36 @@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
37 }
38
39 WriteToClient(client, sizeof(rep), &rep);
40 - WriteToClient(client, rep.stringLength, path);
41 + WriteToClient(client, stringLength, path);
42
43 return Success;
44 }
45 --
46 GitLab
47