From a623060185921dd57c25cd57d33ee64748ed152a Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:55:38 +0200
Subject: [PATCH] xkb: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
---
 xkb/xkb.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index aaf9716b3..9ede6f969 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -255,7 +255,7 @@ ProcXkbSelectEvents(ClientPtr client)
         register unsigned bit, ndx, maskLeft, dataLeft, size;
 
         from.c8 = (CARD8 *) &stuff[1];
-        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+        dataLeft = (client->req_len * 4) - sizeof(xkbSelectEventsReq);
         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
             if ((bit & maskLeft) == 0)
@@ -3372,7 +3372,7 @@ ProcXkbSetIndicatorMap(ClientPtr client)
         if (stuff->which & bit)
             nIndicators++;
     }
-    if (stuff->length != ((SIZEOF(xkbSetIndicatorMapReq) +
+    if (client->req_len != ((sizeof(xkbSetIndicatorMapReq) +
                            (nIndicators * SIZEOF(xkbIndicatorMapWireDesc))) /
                           4)) {
         return BadLength;
@@ -4276,8 +4276,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
             return BadAtom;
         }
     }
-    if ((tmp - ((CARD32 *) stuff)) != stuff->length) {
-        client->errorValue = stuff->length;
+    if ((tmp - ((CARD32 *) stuff)) != client->req_len) {
+        client->errorValue = client->req_len;
         return BadLength;
     }
 
@@ -5872,11 +5872,11 @@ ProcXkbListComponents(ClientPtr client)
             return BadLength;
         size = *((uint8_t *)str);
         len = (str + size + 1) - ((unsigned char *) stuff);
-        if ((XkbPaddedSize(len) / 4) > stuff->length)
+        if ((XkbPaddedSize(len) / 4) > client->req_len)
             return BadLength;
         str += (size + 1);
     }
-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+    if ((XkbPaddedSize(len) / 4) != client->req_len)
         return BadLength;
     rep = (xkbListComponentsReply) {
         .type = X_Reply,
@@ -5958,7 +5958,7 @@ ProcXkbGetKbdByName(ClientPtr client)
     names.geometry = GetComponentSpec(client, stuff, &str, TRUE, &status);
     if (status == Success) {
         len = str - ((unsigned char *) stuff);
-        if ((XkbPaddedSize(len) / 4) != stuff->length)
+        if ((XkbPaddedSize(len) / 4) != client->req_len)
             status = BadLength;
     }
 
@@ -6819,7 +6819,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
         if (status != Success)
             return status;
     }
-    if (((wire - ((char *) stuff)) / 4) != stuff->length)
+    if (((wire - ((char *) stuff)) / 4) != client->req_len)
         return BadLength;
 
     return Success;
@@ -6974,7 +6974,7 @@ ProcXkbSetDebuggingFlags(ClientPtr client)
             ErrorF("[xkb] XkbDebug: Setting debug controls to 0x%lx\n",
                    (long) newCtrls);
     }
-    extraLength = (stuff->length << 2) - sz_xkbSetDebuggingFlagsReq;
+    extraLength = (client->req_len << 2) - sz_xkbSetDebuggingFlagsReq;
     if (stuff->msgLength > 0) {
         char *msg;