From c3e1f6fccf4abfbfde1a246cce8f70e95d6b28b6 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:59:38 +0200
Subject: [PATCH] Xext: vidmode: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
---
 Xext/vidmode.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index 1bc98a8af..db138b646 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -469,7 +469,7 @@ ProcVidModeAddModeLine(ClientPtr client)
     if (ver < 2) {
         /* convert from old format */
         stuff = &newstuff;
-        stuff->length = oldstuff->length;
+        stuff->length = client->req_len;
         stuff->screen = oldstuff->screen;
         stuff->dotclock = oldstuff->dotclock;
         stuff->hdisplay = oldstuff->hdisplay;
@@ -639,7 +639,7 @@ ProcVidModeDeleteModeLine(ClientPtr client)
     if (ver < 2) {
         /* convert from old format */
         stuff = &newstuff;
-        stuff->length = oldstuff->length;
+        stuff->length = client->req_len;
         stuff->screen = oldstuff->screen;
         stuff->dotclock = oldstuff->dotclock;
         stuff->hdisplay = oldstuff->hdisplay;
@@ -668,7 +668,7 @@ ProcVidModeDeleteModeLine(ClientPtr client)
                "len = %d, length = %d\n",
                (unsigned long) client->req_len,
                (int) sizeof(xXF86VidModeDeleteModeLineReq) >> 2,
-               (unsigned long) stuff->privsize, len, stuff->length);
+               (unsigned long) stuff->privsize, len, client->req_len);
         return BadLength;
     }
 
@@ -763,7 +763,7 @@ ProcVidModeModModeLine(ClientPtr client)
     if (ver < 2) {
         /* convert from old format */
         stuff = &newstuff;
-        stuff->length = oldstuff->length;
+        stuff->length = client->req_len;
         stuff->screen = oldstuff->screen;
         stuff->hdisplay = oldstuff->hdisplay;
         stuff->hsyncstart = oldstuff->hsyncstart;
@@ -897,7 +897,7 @@ ProcVidModeValidateModeLine(ClientPtr client)
     if (ver < 2) {
         /* convert from old format */
         stuff = &newstuff;
-        stuff->length = oldstuff->length;
+        stuff->length = client->req_len;
         stuff->screen = oldstuff->screen;
         stuff->dotclock = oldstuff->dotclock;
         stuff->hdisplay = oldstuff->hdisplay;
@@ -1050,7 +1050,7 @@ ProcVidModeSwitchToMode(ClientPtr client)
     if (ver < 2) {
         /* convert from old format */
         stuff = &newstuff;
-        stuff->length = oldstuff->length;
+        stuff->length = client->req_len;
         stuff->screen = oldstuff->screen;
         stuff->dotclock = oldstuff->dotclock;
         stuff->hdisplay = oldstuff->hdisplay;