(submit/fixup-req-len) Xext: saver: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Xext/saver.c

@@ -742,7 +742,7 @@ ScreenSaverSetAttributes(ClientPtr client)
     if (ret != Success)
         return ret;
 
-    len = stuff->length - bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
+    len = client->req_len - bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
     if (Ones(stuff->mask) != len)
         return BadLength;
     if (!stuff->width || !stuff->height) {
@@ -1091,7 +1091,7 @@ ProcScreenSaverSetAttributes(ClientPtr client)
             return (status == BadValue) ? BadDrawable : status;
 
         len =
-            stuff->length -
+            client->req_len -
             bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
         if (Ones(stuff->mask) != len)
             return BadLength;