From 89b2aa9be81613cb1a06bd535bf50ecf2a00208d Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@guitar.keithp.com>
Date: Mon, 27 Nov 2006 21:40:24 -0800
Subject: [PATCH] Destroying RandR crtc or output overwrites memory.

RRCrtcDestroyResource and RROutputDestroyResource had matching
bugs that would overwrite memory past the end of the storage
of the crtc or output arrays. Oops.
(cherry picked from 4202b23ed86405a4cebfdcf239df1b023c1d10ca commit)
---
 randr/rrcrtc.c   | 2 +-
 randr/rroutput.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 212352c15..e8a7b79e1 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -344,7 +344,7 @@ RRCrtcDestroyResource (pointer value, XID pid)
 	    if (pScrPriv->crtcs[i] == crtc)
 	    {
 		memmove (pScrPriv->crtcs + i, pScrPriv->crtcs + i + 1,
-			 (pScrPriv->numCrtcs - (i - 1)) * sizeof (RRCrtcPtr));
+			 (pScrPriv->numCrtcs - (i + 1)) * sizeof (RRCrtcPtr));
 		--pScrPriv->numCrtcs;
 		break;
 	    }
diff --git a/randr/rroutput.c b/randr/rroutput.c
index f38f5826a..430f8bdaa 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -327,7 +327,7 @@ RROutputDestroyResource (pointer value, XID pid)
 	    if (pScrPriv->outputs[i] == output)
 	    {
 		memmove (pScrPriv->outputs + i, pScrPriv->outputs + i + 1,
-			 (pScrPriv->numOutputs - (i - 1)) * sizeof (RROutputPtr));
+			 (pScrPriv->numOutputs - (i + 1)) * sizeof (RROutputPtr));
 		--pScrPriv->numOutputs;
 		break;
 	    }