(submit/fixup-req-len) Xext: security: fix length checking with bigreq

The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-08-06 15:58:44 +02:00 · 2024-08-06 15:58:44 +02:00 · 3b0db0df71
parent a5f0f51d1e
commit 3b0db0df71
1 changed files with 2 additions and 2 deletions
--- a/Xext/security.c
+++ b/Xext/security.c
@ -637,10 +637,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client)
    values_offset = bytes_to_int32(stuff->nbytesAuthProto) +
        bytes_to_int32(stuff->nbytesAuthData);
    if (values_offset >
-        stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
+        client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
        return BadLength;
    values = (CARD32 *) (&stuff[1]) + values_offset;
-    nvalues = (((CARD32 *) stuff) + stuff->length) - values;
+    nvalues = (((CARD32 *) stuff) + client->req_len) - values;
    SwapLongs(values, nvalues);
    return ProcSecurityGenerateAuthorization(client);
 }                               /* SProcSecurityGenerateAuthorization */