Need to use unswapped length to send reply in

ProcXIGetSelectedEvents() (CVE-2024-31080) and
ProcXiPassiveGrabDevice() (CVE-2024-31081)

2 files changed, 26 insertions, 6 deletions

diff --git a/xserver/Xi/xipassivegrab.c b/xserver/Xi/xipassivegrab.c
index c9ac2f855..10ffcd68a 100644
--- a/xserver/Xi/xipassivegrab.c
+++ b/xserver/Xi/xipassivegrab.c
@@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
-    WriteReplyToClient(client, sizeof(rep), &rep);
-    if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+    if (client->swapped) {
+        /* save the value before SRepXIPassiveGrabDevice swaps it */
+        uint32_t length = rep.length;
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (length)
+            WriteToClient(client, length * 4, modifiers_failed);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (rep.num_modifiers)
+            WriteToClient(client, rep.length * 4, modifiers_failed);
+    }
 
  out:
     free(modifiers_failed);
diff --git a/xserver/Xi/xiselectev.c b/xserver/Xi/xiselectev.c
index edcb8a0d3..acb46425f 100644
--- a/xserver/Xi/xiselectev.c
+++ b/xserver/Xi/xiselectev.c
@@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client)
         }
     }
 
-    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+    if (client->swapped) {
+        /* save the value before SRepXIGetSelectedEvents swaps it */
+        uint32_t length = reply.length;
 
-    if (reply.num_masks)
-        WriteToClient(client, reply.length * 4, buffer);
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (length)
+            WriteToClient(client, length * 4, buffer);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (reply.num_masks)
+            WriteToClient(client, reply.length * 4, buffer);
+    }
 
     free(buffer);
     return Success;