Xext: security: fix length checking with bigreq

The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
2024-08-06 15:58:44 +02:00 · 2024-08-06 15:58:44 +02:00 · 67a3319d73
parent bacc4b1477
commit 67a3319d73
1 changed files with 2 additions and 2 deletions
--- a/Xext/security.c
+++ b/Xext/security.c
@ -636,10 +636,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client)
    values_offset = bytes_to_int32(stuff->nbytesAuthProto) +
        bytes_to_int32(stuff->nbytesAuthData);
    if (values_offset >
-        stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
+        client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
        return BadLength;
    values = (CARD32 *) (&stuff[1]) + values_offset;
-    nvalues = (((CARD32 *) stuff) + stuff->length) - values;
+    nvalues = (((CARD32 *) stuff) + client->req_len) - values;
    SwapLongs(values, nvalues);
    return ProcSecurityGenerateAuthorization(client);
 }                               /* SProcSecurityGenerateAuthorization */