From bacc4b1477942597bf6dd591366ac1fd84faef4c Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:58:11 +0200
Subject: [PATCH] Xext: saver: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
---
 Xext/saver.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Xext/saver.c b/Xext/saver.c
index ad06f9bdb..0c49427a6 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -748,7 +748,7 @@ ScreenSaverSetAttributes(ClientPtr client)
     if (ret != Success)
         return ret;
 
-    len = stuff->length - bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
+    len = client->req_len - bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
     if (Ones(stuff->mask) != len)
         return BadLength;
     if (!stuff->width || !stuff->height) {
@@ -1097,7 +1097,7 @@ ProcScreenSaverSetAttributes(ClientPtr client)
             return (status == BadValue) ? BadDrawable : status;
 
         len =
-            stuff->length -
+            client->req_len -
             bytes_to_int32(sizeof(xScreenSaverSetAttributesReq));
         if (Ones(stuff->mask) != len)
             return BadLength;