Apertis CI robot · d2516b02 · 88909f68 · bd33c3ca · 09c05a09 · d2516b02
--- a/debian/patches/20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch 0 → 100644

+ 61

− 0
+++ b/debian/patches/20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch 0 → 100644

+ 61

− 0
+From 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
+ to send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
+---
+ Xi/xiselectev.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
+@@ -292,16 +292,17 @@ ProcXIGetSelectedEvents(ClientPtr client
+     int rc, i;
+     WindowPtr win;
+     char *buffer = NULL;
+     xXIGetSelectedEventsReply reply;
+     OtherInputMasks *masks;
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
+    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+ 
+     rc = dixLookupWindow(&win, stuff->win, client, DixGetAttrAccess);
+     if (rc != Success)
+         return rc;
+ 
+@@ -361,20 +362,22 @@ ProcXIGetSelectedEvents(ClientPtr client
+                 memcpy(&evmask[1], devmask, j + 1);
+                 evmask = (xXIEventMask *) ((char *) evmask +
+                                            sizeof(xXIEventMask) + mask_len * 4);
+                 break;
+             }
+         }
+     }
+ 
+    /* save the value before SRepXIGetSelectedEvents swaps it */
+    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
+        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+ }
+ 
+ void
+ SRepXIGetSelectedEvents(ClientPtr client,
+                         int len, xXIGetSelectedEventsReply * rep)