File U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch of Package xwayland.39024

From eb1c0386535c5a6451cbf21ca351087ebfafb025 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:05:36 +0200
Subject: [PATCH xserver] xfixes: Check request length for
 SetClientDisconnectMode

The handler of XFixesSetClientDisconnectMode does not check the client
request length.

A client could send a shorter request and read data from a former
request.

Fix the issue by checking the request size matches.

CVE-2025-49177

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 xfixes/disconnect.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xwayland-24.1.6/xfixes/disconnect.c
===================================================================
--- xwayland-24.1.6.orig/xfixes/disconnect.c
+++ xwayland-24.1.6/xfixes/disconnect.c
@@ -69,6 +69,7 @@ ProcXFixesSetClientDisconnectMode(Client
     ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
 
     REQUEST(xXFixesSetClientDisconnectModeReq);
+    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
 
     pDisconnect->disconnect_mode = stuff->disconnect_mode;
 
@@ -82,7 +83,7 @@ SProcXFixesSetClientDisconnectMode(Clien
 
     swaps(&stuff->length);
 
-    REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
+    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
 
     swapl(&stuff->disconnect_mode);
 
openSUSE Build Service is sponsored by