From ef396a28b76db135dbc746c52bdc644554a8eb50 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 6 Aug 2024 15:56:39 +0200
Subject: [PATCH] xquartz: fix length checking with bigreq

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
---
 hw/xquartz/applewm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/xquartz/applewm.c b/hw/xquartz/applewm.c
index 4441038f5..254931f0b 100644
--- a/hw/xquartz/applewm.c
+++ b/hw/xquartz/applewm.c
@@ -387,7 +387,7 @@ ProcAppleWMSetWindowMenu(register ClientPtr client)
         return BadAlloc;
     }
 
-    max_len = (stuff->length << 2) - sizeof(xAppleWMSetWindowMenuReq);
+    max_len = (client->req-len << 2) - sizeof(xAppleWMSetWindowMenuReq);
     bytes = (char *)&stuff[1];
 
     for (i = j = 0; i < max_len && j < nitems;) {
@@ -601,7 +601,7 @@ ProcAppleWMFrameDraw(register ClientPtr client)
     or = make_box(stuff->ox, stuff->oy, stuff->ow, stuff->oh);
 
     title_length = stuff->title_length;
-    title_max = (stuff->length << 2) - sizeof(xAppleWMFrameDrawReq);
+    title_max = (client->req_len << 2) - sizeof(xAppleWMFrameDrawReq);
 
     if (title_max < title_length)
         return BadValue;