From 3b0db0df71790424c2afa9a3e11c7009c87ba25b Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:58:44 +0200
Subject: [PATCH] (submit/fixup-req-len) Xext: security: fix length checking
 with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/security.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Xext/security.c b/Xext/security.c
index 426dc8601..68b4e7e5f 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -637,10 +637,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client)
     values_offset = bytes_to_int32(stuff->nbytesAuthProto) +
         bytes_to_int32(stuff->nbytesAuthData);
     if (values_offset >
-        stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
+        client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
         return BadLength;
     values = (CARD32 *) (&stuff[1]) + values_offset;
-    nvalues = (((CARD32 *) stuff) + stuff->length) - values;
+    nvalues = (((CARD32 *) stuff) + client->req_len) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
 }                               /* SProcSecurityGenerateAuthorization */