From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 19:07:34 -0700
Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
 length to send reply

CVE-2024-31082

Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
 hw/xquartz/xpr/appledri.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
index 77574655b..40422b61a 100644
--- a/hw/xquartz/xpr/appledri.c
+++ b/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     xAppleDRICreatePixmapReply rep;
     int width, height, pitch, bpp;
     void *ptr;
+    CARD32 stringLength;
 
     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
 
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
 
+    stringLength = rep.stringLength;  /* save unswapped value */
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     }
 
     WriteToClient(client, sizeof(rep), &rep);
-    WriteToClient(client, rep.stringLength, path);
+    WriteToClient(client, stringLength, path);
 
     return Success;
 }
-- 
2.44.0