Update to xserver 21.1.12

The security patches were already commited, sync with the rest
of the 21.1.12 relase.

17 files changed, 289 insertions, 49 deletions

diff --git a/xserver/ChangeLog b/xserver/ChangeLog
index 4f43caad8..baea527b3 100644
--- a/xserver/ChangeLog
+++ b/xserver/ChangeLog
@@ -1,3 +1,217 @@
+commit 101caa1b03bc26b718f4618eb24104add5d14a4b
+Author: Povilas Kanapickas <povilas@radix.lt>
+Date:   Wed Apr 3 23:43:42 2024 +0300
+
+    xserver 21.1.12
+    
+    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+
+commit 1173156404be826f50f453ca11bda28ccb5a5268
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Tue Jan 30 13:13:35 2024 +1000
+
+    render: fix refcounting of glyphs during ProcRenderAddGlyphs
+    
+    Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+    re-used glyph would end up not changing the refcount at all. The
+    resulting glyph_new array would thus have multiple entries pointing to
+    the same non-refcounted glyphs.
+    
+    AddGlyph may free a glyph, resulting in a UAF when the same glyph
+    pointer is then later used.
+    
+    Fix this by returning a refcount of 1 for a new glyph and always
+    incrementing the refcount for a re-used glyph, followed by dropping that
+    refcount back down again when we're done with it.
+    
+    CVE-2024-31083, ZDI-CAN-22880
+    
+    This vulnerability was discovered by:
+    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)
+
+commit 0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 19:07:34 2024 -0700
+
+    Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply
+    
+    CVE-2024-31082
+    
+    Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 6c684d035c06fd41c727f0ef0744517580864cef)
+
+commit cea92ca78f900bfb4c9a5540dfd631e065b9151b
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 18:56:27 2024 -0700
+
+    Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
+    
+    CVE-2024-31081
+    
+    Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
+
+commit 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 18:51:45 2024 -0700
+
+    Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply
+    
+    CVE-2024-31080
+    
+    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+    Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
+
+commit 5ca3a95135d9c89753e2af19da5a2615ea2be1c3
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Thu Mar 21 18:08:35 2024 -0700
+
+    Xext: SProcSyncCreateFence needs to swap drawable id too
+    
+    Otherwise it causes the server to return BadDrawable giving a
+    byte-swapped resource id instead of the real id the client sent.
+    
+    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+    Fixes: 397dfd9f8 ("Create/Destroy/Trigger/Reset/Query Fence Sync objs")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    ---
+    (cherry picked from commit e6573baa7d99a77f44229b9a96a41bbda57e2387)
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1438>
+
+commit 5d7272f05d9ef6bef93419febee3c9dfc63ec055
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Sat Mar 23 10:42:33 2024 -0700
+
+    Allow disabling byte-swapped clients
+    
+    The X server swapping code is a huge attack surface, much of this code
+    is untested and prone to security issues. The use-case of byte-swapped
+    clients is very niche, so allow users to disable this if they don't
+    need it, using either a config option or commandline flag.
+    
+    For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "off".
+    For all DDX, this adds the commandline options +byteswappedclients and
+    -byteswappedclients to enable or disable, respectively.
+    
+    Fixes #1201
+    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+    ---
+    (cherry picked from commit 412777664a20dd3561b936c02c96571a756fe9b2)
+    (cherry picked from commit af5cd5acc9012e527ee869f8e98bf6c2e9a02ca4)
+    Backport to server-21.1-branch modified to keep byte-swapping enabled
+    by default but easy to disable by users or admins (or even by distros
+    shipping an xorg.conf.d fragment in their packages).
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1440>
+
+commit 8a46a463f631ed52613d67f4088924acbbb6ca20
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date:   Sun Dec 5 22:05:08 2021 +0100
+
+    Initialize Mode->name in xf86CVTMode()
+    
+    This was overlooked when converting the function to use libxcvt.
+    Bring back name initialization from old code.
+    
+    This was causing a segfault in xf86LookupMode() if modes where
+    name is NULL are present the modePool list.
+    
+    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+    ---
+    (cherry picked from ed11c4d443ad2e82512df64358d38008e0ee7693)
+    
+    Reported-by: "Sergiy" <Black_N@ukr.net>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1319>
+
+commit f653d9a0af912e577fab5c02b2a4eb380d33e8bb
+Author: Yusuf Khan <yusisamerican@gmail.com>
+Date:   Sat Feb 17 12:38:10 2024 -0800
+
+    hw/xfree86: fix NULL pointer refrence to mode name
+    
+    Potentially, the pointer to the mode name could be unset, this can
+    occur with the xf86-video-nv DDX, in that case there isnt much we can do
+    except check if the next mode is any better.
+    
+    Signed-off-by: Yusuf Khan <yusisamerican@gmail.com>
+    ---
+    (cherry picked from db3aa4e03b180244e8b4b02272c49f1e0c48b463)
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1309>
+
+commit 8b75ec34dfbe435cd3a17e64138e22a37395a6d8
+Author: Povilas Kanapickas <povilas@radix.lt>
+Date:   Sun Dec 19 18:11:07 2021 +0200
+
+    dix: Fix use after free in input device shutdown
+    
+    This fixes access to freed heap memory via dev->master. E.g. when
+    running BarrierNotify.ReceivesNotifyEvents/7 test from
+    xorg-integration-tests:
+    
+    ==24736==ERROR: AddressSanitizer: heap-use-after-free on address
+    0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
+    READ of size 4 at 0x619000065020 thread T0
+        #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
+        #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
+        #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
+    ../../../Xi/xichangehierarchy.c:95
+        #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
+    ../../../hw/xfree86/common/xf86Xinput.c:1142
+        #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+        #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+        #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
+        #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+        #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
+    
+    0x619000065020 is located 160 bytes inside of 912-byte region
+    [0x619000064f80,0x619000065310)
+    freed by thread T0 here:
+    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+        #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
+        #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
+    ../../../hw/xfree86/common/xf86Xinput.c:1142
+        #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+        #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+        #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
+        #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    
+    previously allocated by thread T0 here:
+    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+        #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
+        #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
+        #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
+    ../../../Xi/xichangehierarchy.c:465
+        #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
+        #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
+        #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
+        #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    
+    The problem is caused by dev->master being not reset when disabling the
+    device, which then causes dangling pointer when the master device itself
+    is being deleted when exiting whole server.
+    
+    Note that RecalculateMasterButtons() requires dev->master to be still
+    valid, so we can reset it only at the end of function.
+    
+    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+    (cherry picked from commit 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41)
+
 commit 31407c0199da877b359b2e37bb371804321279b7
 Author: José Expósito <jose.exposito89@gmail.com>
 Date:   Tue Jan 16 10:15:15 2024 +0100
diff --git a/xserver/Xext/sync.c b/xserver/Xext/sync.c
index fd2ceb042..661d345e4 100644
--- a/xserver/Xext/sync.c
+++ b/xserver/Xext/sync.c
@@ -2318,6 +2318,7 @@ SProcSyncCreateFence(ClientPtr client)
     REQUEST(xSyncCreateFenceReq);
     swaps(&stuff->length);
     REQUEST_SIZE_MATCH(xSyncCreateFenceReq);
+    swapl(&stuff->d);
     swapl(&stuff->fid);
 
     return ProcSyncCreateFence(client);
diff --git a/xserver/Xi/xipassivegrab.c b/xserver/Xi/xipassivegrab.c
index 10ffcd68a..896233bec 100644
--- a/xserver/Xi/xipassivegrab.c
+++ b/xserver/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabParameters param;
     void *tmp;
     int mask_len;
+    uint32_t length;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,18 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
-    if (client->swapped) {
-        /* save the value before SRepXIPassiveGrabDevice swaps it */
-        uint32_t length = rep.length;
-        WriteReplyToClient(client, sizeof(rep), &rep);
-        if (length)
-            WriteToClient(client, length * 4, modifiers_failed);
-    }
-    else {
-        WriteReplyToClient(client, sizeof(rep), &rep);
-        if (rep.num_modifiers)
-            WriteToClient(client, rep.length * 4, modifiers_failed);
-    }
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
+    WriteReplyToClient(client, sizeof(rep), &rep);
+    if (rep.num_modifiers)
+        WriteToClient(client, length * 4, modifiers_failed);
 
  out:
     free(modifiers_failed);
diff --git a/xserver/Xi/xiselectev.c b/xserver/Xi/xiselectev.c
index acb46425f..ac1494987 100644
--- a/xserver/Xi/xiselectev.c
+++ b/xserver/Xi/xiselectev.c
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
     InputClientsPtr others = NULL;
     xXIEventMask *evmask = NULL;
     DeviceIntPtr dev;
+    uint32_t length;
 
     REQUEST(xXIGetSelectedEventsReq);
     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@@ -418,21 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
         }
     }
 
-    if (client->swapped) {
-        /* save the value before SRepXIGetSelectedEvents swaps it */
-        uint32_t length = reply.length;
+    /* save the value before SRepXIGetSelectedEvents swaps it */
+    length = reply.length;
+    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
 
-        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
-
-        if (length)
-            WriteToClient(client, length * 4, buffer);
-    }
-    else {
-        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
-
-        if (reply.num_masks)
-            WriteToClient(client, reply.length * 4, buffer);
-    }
+    if (reply.num_masks)
+        WriteToClient(client, length * 4, buffer);
 
     free(buffer);
     return Success;
diff --git a/xserver/configure b/xserver/configure
index 57136fcf3..20b16a8b9 100644
--- a/xserver/configure
+++ b/xserver/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for xorg-server 21.1.11.
+# Generated by GNU Autoconf 2.71 for xorg-server 21.1.12.
 #
 # Report bugs to <https://gitlab.freedesktop.org/xorg/xserver/issues>.
 #
@@ -682,8 +682,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='xorg-server'
 PACKAGE_TARNAME='xorg-server'
-PACKAGE_VERSION='21.1.11'
-PACKAGE_STRING='xorg-server 21.1.11'
+PACKAGE_VERSION='21.1.12'
+PACKAGE_STRING='xorg-server 21.1.12'
 PACKAGE_BUGREPORT='https://gitlab.freedesktop.org/xorg/xserver/issues'
 PACKAGE_URL=''
 
@@ -2015,7 +2015,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures xorg-server 21.1.11 to adapt to many kinds of systems.
+\`configure' configures xorg-server 21.1.12 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2086,7 +2086,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of xorg-server 21.1.11:";;
+     short | recursive ) echo "Configuration of xorg-server 21.1.12:";;
    esac
   cat <<\_ACEOF
 
@@ -2275,10 +2275,10 @@ Optional Packages:
                           org.x)
   --with-bundle-version=VERSION
                           Version to use for X11.app's CFBundleVersion
-                          (default: 21.1.11)
+                          (default: 21.1.12)
   --with-bundle-version-string=VERSION
                           Version to use for X11.app's
-                          CFBundleShortVersionString (default: 21.1.11)
+                          CFBundleShortVersionString (default: 21.1.12)
   --with-sparkle-feed-url=URL
                           URL for the Sparkle feed (default:
                           https://www.xquartz.org/releases/sparkle/release.xml)
@@ -2493,7 +2493,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-xorg-server configure 21.1.11
+xorg-server configure 21.1.12
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -3150,7 +3150,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by xorg-server $as_me 21.1.11, which was
+It was created by xorg-server $as_me 21.1.12, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3907,7 +3907,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-RELEASE_DATE="2024-01-16"
+RELEASE_DATE="2024-04-03"
 RELEASE_NAME="Caramel Ice Cream"
 
 
@@ -4388,7 +4388,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='xorg-server'
- VERSION='21.1.11'
+ VERSION='21.1.12'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -24439,7 +24439,7 @@ if test ${with_bundle_version+y}
 then :
   withval=$with_bundle_version;  BUNDLE_VERSION="${withval}"
 else $as_nop
-   BUNDLE_VERSION="21.1.11"
+   BUNDLE_VERSION="21.1.12"
 fi
 
 
@@ -33105,7 +33105,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by xorg-server $as_me 21.1.11, which was
+This file was extended by xorg-server $as_me 21.1.12, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -33173,7 +33173,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-xorg-server config.status 21.1.11
+xorg-server config.status 21.1.12
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff --git a/xserver/configure.ac b/xserver/configure.ac
index 9d193a5af..76e3432a2 100644
--- a/xserver/configure.ac
+++ b/xserver/configure.ac
@@ -26,8 +26,8 @@ dnl
 dnl Process this file with autoconf to create configure.
 
 AC_PREREQ(2.60)
-AC_INIT([xorg-server], 21.1.11, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
-RELEASE_DATE="2024-01-16"
+AC_INIT([xorg-server], 21.1.12, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
+RELEASE_DATE="2024-04-03"
 RELEASE_NAME="Caramel Ice Cream"
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/xserver/dix/devices.c b/xserver/dix/devices.c
index 660c01f97..297cc1b8c 100644
--- a/xserver/dix/devices.c
+++ b/xserver/dix/devices.c
@@ -536,6 +536,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
     }
 
     RecalculateMasterButtons(dev);
+    dev->master = NULL;
 
     return TRUE;
 }
diff --git a/xserver/dix/dispatch.c b/xserver/dix/dispatch.c
index 460296197..8f7452d87 100644
--- a/xserver/dix/dispatch.c
+++ b/xserver/dix/dispatch.c
@@ -3780,9 +3780,11 @@ ProcEstablishConnection(ClientPtr client)
     auth_proto = (char *) prefix + sz_xConnClientPrefix;
     auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
 
-    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
-	pad_to_int32(prefix->nbytesAuthProto) +
-	pad_to_int32(prefix->nbytesAuthString))
+    if (client->swapped && !AllowByteSwappedClients) {
+        reason = "Prohibited client endianess, see the Xserver man page ";
+    } else if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+               pad_to_int32(prefix->nbytesAuthProto) +
+               pad_to_int32(prefix->nbytesAuthString))
         reason = "Bad length";
     else if ((prefix->majorVersion != X_PROTOCOL) ||
         (prefix->minorVersion != X_PROTOCOL_REVISION))
diff --git a/xserver/hw/xfree86/common/xf86Config.c b/xserver/hw/xfree86/common/xf86Config.c
index 8b2193f87..f1a28b6a3 100644
--- a/xserver/hw/xfree86/common/xf86Config.c
+++ b/xserver/hw/xfree86/common/xf86Config.c
@@ -646,6 +646,7 @@ typedef enum {
     FLAG_MAX_CLIENTS,
     FLAG_IGLX,
     FLAG_DEBUG,
+    FLAG_ALLOW_BYTE_SWAPPED_CLIENTS,
 } FlagValues;
 
 /**
@@ -705,6 +706,8 @@ static OptionInfoRec FlagOptions[] = {
      {0}, FALSE},
     {FLAG_DEBUG, "Debug", OPTV_STRING,
      {0}, FALSE},
+    {FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, "AllowByteSwappedClients", OPTV_BOOLEAN,
+     {0}, FALSE},
     {-1, NULL, OPTV_NONE,
      {0}, FALSE},
 };
@@ -746,6 +749,14 @@ configServerFlags(XF86ConfFlagsPtr flagsconf, XF86OptionPtr layoutopts)
         xf86Msg(X_CONFIG, "Ignoring ABI Version\n");
     }
 
+    xf86GetOptValBool(FlagOptions, FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, &AllowByteSwappedClients);
+    if (AllowByteSwappedClients) {
+        xf86Msg(X_CONFIG, "Allowing byte-swapped clients\n");
+    }
+    else {
+        xf86Msg(X_CONFIG, "Prohibiting byte-swapped clients\n");
+    }
+
     if (xf86IsOptionSet(FlagOptions, FLAG_AUTO_ADD_DEVICES)) {
         xf86GetOptValBool(FlagOptions, FLAG_AUTO_ADD_DEVICES,
                           &xf86Info.autoAddDevices);
diff --git a/xserver/hw/xfree86/common/xf86Mode.c b/xserver/hw/xfree86/common/xf86Mode.c
index eb0885571..ef3be84c3 100644
--- a/xserver/hw/xfree86/common/xf86Mode.c
+++ b/xserver/hw/xfree86/common/xf86Mode.c
@@ -507,6 +507,8 @@ xf86LookupMode(ScrnInfoPtr scrp, DisplayModePtr modep,
             /* scan through the modes in the sort order above */
             if ((p->type & type) != type)
                 continue;
+            if (p->name == NULL)
+                continue;
 
             if (strcmp(p->name, modep->name) == 0) {
 
diff --git a/xserver/hw/xfree86/man/xorg.conf.man b/xserver/hw/xfree86/man/xorg.conf.man
index ac88d7e7a..ed125b3ee 100644
--- a/xserver/hw/xfree86/man/xorg.conf.man
+++ b/xserver/hw/xfree86/man/xorg.conf.man
@@ -677,6 +677,9 @@ Possible values are
 or
 .BR sync .
 Unset by default.
+.TP 7
+.BI "Option \*qAllowByteSwappedClients\*q  \*q" boolean \*q
+Allow clients with a different byte-order than the server. Enabled by default.
 .SH "MODULE SECTION"
 The
 .B Module
diff --git a/xserver/hw/xfree86/modes/xf86Modes.c b/xserver/hw/xfree86/modes/xf86Modes.c
index 00586c457..f660a214a 100644
--- a/xserver/hw/xfree86/modes/xf86Modes.c
+++ b/xserver/hw/xfree86/modes/xf86Modes.c
@@ -810,7 +810,7 @@ xf86CVTMode(int HDisplay, int VDisplay, float VRefresh, Bool Reduced,
 
     XNFasprintf(&tmp, "%dx%d", HDisplay, VDisplay);
     Mode->name = tmp;
-    
+
     Mode->VDisplay   = libxcvt_mode_info->vdisplay;
     Mode->HDisplay   = libxcvt_mode_info->hdisplay;
     Mode->Clock      = libxcvt_mode_info->dot_clock;
diff --git a/xserver/hw/xquartz/xpr/appledri.c b/xserver/hw/xquartz/xpr/appledri.c
index 77574655b..40422b61a 100644
--- a/xserver/hw/xquartz/xpr/appledri.c
+++ b/xserver/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     xAppleDRICreatePixmapReply rep;
     int width, height, pitch, bpp;
     void *ptr;
+    CARD32 stringLength;
 
     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
 
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
 
+    stringLength = rep.stringLength;  /* save unswapped value */
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     }
 
     WriteToClient(client, sizeof(rep), &rep);
-    WriteToClient(client, rep.stringLength, path);
+    WriteToClient(client, stringLength, path);
 
     return Success;
 }
diff --git a/xserver/include/opaque.h b/xserver/include/opaque.h
index 256261c2a..398d4b4e5 100644
--- a/xserver/include/opaque.h
+++ b/xserver/include/opaque.h
@@ -74,4 +74,6 @@ extern _X_EXPORT Bool bgNoneRoot;
 extern _X_EXPORT Bool CoreDump;
 extern _X_EXPORT Bool NoListenAll;
 
+extern _X_EXPORT Bool AllowByteSwappedClients;
+
 #endif                          /* OPAQUE_H */
diff --git a/xserver/man/Xserver.man b/xserver/man/Xserver.man
index 764bd1d90..d6e18ffdd 100644
--- a/xserver/man/Xserver.man
+++ b/xserver/man/Xserver.man
@@ -114,6 +114,13 @@ pattern.   This is the default unless -retro or -wr is specified.
 .B \-bs
 disables backing store support on all screens.
 .TP 8
+.B \+byteswappedclients
+Allow connections from clients with an endianess different to that of the server.
+This is the default unless \fB\-byteswappedclients\fP is specified.
+.TP 8
+.B \-byteswappedclients
+Prohibit connections from clients with an endianess different to that of the server.
+.TP 8
 .B \-c
 turns off key-click.
 .TP 8
diff --git a/xserver/meson.build b/xserver/meson.build
index 6e33695e6..f91f9343a 100644
--- a/xserver/meson.build
+++ b/xserver/meson.build
@@ -3,10 +3,10 @@ project('xserver', 'c',
             'buildtype=debugoptimized',
             'c_std=gnu99',
         ],
-        version: '21.1.11',
+        version: '21.1.12',
         meson_version: '>= 0.47.0',
 )
-release_date = '2024-01-16'
+release_date = '2024-04-03'
 
 add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
 cc = meson.get_compiler('c')
diff --git a/xserver/os/utils.c b/xserver/os/utils.c
index 1934aeeef..f72330ebc 100644
--- a/xserver/os/utils.c
+++ b/xserver/os/utils.c
@@ -189,6 +189,8 @@ Bool CoreDump;
 
 Bool enableIndirectGLX = FALSE;
 
+Bool AllowByteSwappedClients = TRUE;
+
 #ifdef PANORAMIX
 Bool PanoramiXExtensionDisabledHack = FALSE;
 #endif
@@ -535,6 +537,8 @@ UseMsg(void)
     ErrorF("-br                    create root window with black background\n");
     ErrorF("+bs                    enable any backing store support\n");
     ErrorF("-bs                    disable any backing store support\n");
+    ErrorF("+byteswappedclients    Allow clients with endianess different to that of the server\n");
+    ErrorF("-byteswappedclients    Prohibit clients with endianess different to that of the server\n");
     ErrorF("-c                     turns off key-click\n");
     ErrorF("c #                    key-click volume (0-100)\n");
     ErrorF("-cc int                default color visual class\n");
@@ -731,6 +735,11 @@ ProcessCommandLine(int argc, char *argv[])
             else
                 UseMsg();
         }
+        else if (strcmp(argv[i], "-byteswappedclients") == 0) {
+            AllowByteSwappedClients = FALSE;
+        } else if (strcmp(argv[i], "+byteswappedclients") == 0) {
+            AllowByteSwappedClients = TRUE;
+        }
         else if (strcmp(argv[i], "-br") == 0)  /* default */
             party_like_its_1989 = FALSE;
         else if (strcmp(argv[i], "+bs") == 0)