From 2b7f53a0bff32a13f8665b1e649c49264c5cdde5 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:56:39 +0200
Subject: [PATCH] (!1639) xquartz: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 hw/xquartz/applewm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/xquartz/applewm.c b/hw/xquartz/applewm.c
index 4edab98e0..2657c9bb6 100644
--- a/hw/xquartz/applewm.c
+++ b/hw/xquartz/applewm.c
@@ -389,7 +389,7 @@ ProcAppleWMSetWindowMenu(register ClientPtr client)
         return BadAlloc;
     }
 
-    max_len = (stuff->length << 2) - sizeof(xAppleWMSetWindowMenuReq);
+    max_len = (client->req-len << 2) - sizeof(xAppleWMSetWindowMenuReq);
     bytes = (char *)&stuff[1];
 
     for (i = j = 0; i < max_len && j < nitems;) {
@@ -603,7 +603,7 @@ ProcAppleWMFrameDraw(register ClientPtr client)
     or = make_box(stuff->ox, stuff->oy, stuff->ow, stuff->oh);
 
     title_length = stuff->title_length;
-    title_max = (stuff->length << 2) - sizeof(xAppleWMFrameDrawReq);
+    title_max = (client->req_len << 2) - sizeof(xAppleWMFrameDrawReq);
 
     if (title_max < title_length)
         return BadValue;