From 6c2f17a5e02198a0fd0cbc62dc07c9360b64b53f Mon Sep 17 00:00:00 2001
From: Tautvis <gtautvis@gmail.com>
Date: Tue, 1 Jul 2025 13:23:20 +0200
Subject: [PATCH] xf86vidmode: fix result copying in ProcVidModeGetMonitor()

The monitor values (vendor and model) accidentally had been copied
at the start of the payload, instead of being appended after the
previously copied data, and also moving the wrong pointer, thus
corrupting the reply and causing some clients to hang.

Signed-off-by: Tautvis <gtautvis@gmail.com>
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/vidmode.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index f9bbf9830..a192cff29 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -1280,7 +1280,7 @@ ProcVidModeGetMonitor(ClientPtr client)
                   + nHsync + nVrefresh + nVendorItems + nModelItems
     };
 
-    const int buflen = nHsync * nVrefresh + nVendorItems + nModelItems;
+    const int buflen = nHsync + nVrefresh + nVendorItems + nModelItems;
 
     CARD32 *sendbuf = calloc(buflen, sizeof(CARD32));
     if (!sendbuf)
@@ -1302,22 +1302,22 @@ ProcVidModeGetMonitor(ClientPtr client)
         bufwalk++;
     }
 
-    memcpy(sendbuf,
+    memcpy(bufwalk,
            pVidMode->GetMonitorValue(pScreen, VIDMODE_MON_VENDOR, 0).ptr,
            vendorLength);
-    sendbuf += nVendorItems;
+    bufwalk += nVendorItems;
 
-    memcpy(sendbuf,
+    memcpy(bufwalk,
            pVidMode->GetMonitorValue(pScreen, VIDMODE_MON_MODEL, 0).ptr,
            modelLength);
-    sendbuf += nModelItems;
+    bufwalk += nModelItems;
 
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
     }
 
-    WriteToClient(client, SIZEOF(xXF86VidModeGetMonitorReply), &rep);
+    WriteToClient(client, sizeof(xXF86VidModeGetMonitorReply), &rep);
     WriteToClient(client, buflen * sizeof(CARD32), sendbuf);
 
     free(sendbuf);