From 054bde5cd6cab18b0049aa5e2d15661fb30e2dc1 Mon Sep 17 00:00:00 2001
From: Tautvis <gtautvis@gmail.com>
Date: Tue, 1 Jul 2025 13:23:20 +0200
Subject: [PATCH] xf86vidmode: fix result copying in ProcVidModeGetMonitor()

The monitor values (vendor and model) accidentally had been copied
at the start of the payload, instead of being appended after the
previously copied data, and also moving the wrong pointer, thus
corrupting the reply and causing some clients to hang.

Signed-off-by: Tautvis <gtautvis@gmail.com>
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/vidmode.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index f9bbf9830..a192cff29 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -1280,7 +1280,7 @@ ProcVidModeGetMonitor(ClientPtr client)
                   + nHsync + nVrefresh + nVendorItems + nModelItems
     };
 
-    const int buflen = nHsync * nVrefresh + nVendorItems + nModelItems;
+    const int buflen = nHsync + nVrefresh + nVendorItems + nModelItems;
 
     CARD32 *sendbuf = calloc(buflen, sizeof(CARD32));
     if (!sendbuf)
@@ -1302,22 +1302,22 @@ ProcVidModeGetMonitor(ClientPtr client)
         bufwalk++;
     }
 
-    memcpy(sendbuf,
+    memcpy(bufwalk,
            pVidMode->GetMonitorValue(pScreen, VIDMODE_MON_VENDOR, 0).ptr,
            vendorLength);
-    sendbuf += nVendorItems;
+    bufwalk += nVendorItems;
 
-    memcpy(sendbuf,
+    memcpy(bufwalk,
            pVidMode->GetMonitorValue(pScreen, VIDMODE_MON_MODEL, 0).ptr,
            modelLength);
-    sendbuf += nModelItems;
+    bufwalk += nModelItems;
 
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
     }
 
-    WriteToClient(client, SIZEOF(xXF86VidModeGetMonitorReply), &rep);
+    WriteToClient(client, sizeof(xXF86VidModeGetMonitorReply), &rep);
     WriteToClient(client, buflen * sizeof(CARD32), sendbuf);
 
     free(sendbuf);