From dba26368e5dbdd35df97d38ed517d1248503ab51 Mon Sep 17 00:00:00 2001
From: Peter Harris <peter.harris@hummingbird.com>
Date: Thu, 20 Dec 2007 15:58:01 -0500
Subject: [PATCH] Fix panoramiX request and reply swapping

 Fix panoramiX request and reply swapping
 Set window and screen values in panoramix replies
 Prevent buffer overrun in ProcPanoramiXGetScreenSize
(cherry picked from commit 2b266eda6e23d16116f8a8e258192df353970279)
---
 Xext/panoramiX.c   | 17 +++++++++++++----
 randr/rrxinerama.c | 18 ++++++++++++++----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 2792dc714..8bc5c42c2 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -936,10 +936,11 @@ ProcPanoramiXGetState(ClientPtr client)
 	rep.length = 0;
 	rep.sequenceNumber = client->sequence;
 	rep.state = !noPanoramiXExtension;
+	rep.window = stuff->window;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.state, n);
+	    swapl (&rep.window, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetStateReply), (char *) &rep);
 	return client->noClientException;
@@ -963,10 +964,11 @@ ProcPanoramiXGetScreenCount(ClientPtr client)
 	rep.length = 0;
 	rep.sequenceNumber = client->sequence;
 	rep.ScreenCount = PanoramiXNumScreens;
+	rep.window = stuff->window;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.ScreenCount, n);
+	    swapl (&rep.window, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetScreenCountReply), (char *) &rep);
 	return client->noClientException;
@@ -980,6 +982,9 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
 	xPanoramiXGetScreenSizeReply	rep;
 	register int			n, rc;
 	
+	if (stuff->screen >= PanoramiXNumScreens)
+	    return BadMatch;
+
 	REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
 	rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
 	if (rc != Success)
@@ -991,11 +996,15 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
 		/* screen dimensions */
 	rep.width  = panoramiXdataPtr[stuff->screen].width; 
 	rep.height = panoramiXdataPtr[stuff->screen].height; 
+	rep.window = stuff->window;
+	rep.screen = stuff->screen;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.width, n);
-	    swaps (&rep.height, n);
+	    swapl (&rep.width, n);
+	    swapl (&rep.height, n);
+	    swapl (&rep.window, n);
+	    swapl (&rep.screen, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetScreenSizeReply), (char *) &rep);
 	return client->noClientException;
diff --git a/randr/rrxinerama.c b/randr/rrxinerama.c
index 240fca27a..e6acd5e57 100644
--- a/randr/rrxinerama.c
+++ b/randr/rrxinerama.c
@@ -138,10 +138,11 @@ ProcRRXineramaGetState(ClientPtr client)
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
     rep.state = active;
+    rep.window = stuff->window;
     if(client->swapped) {
        swaps (&rep.sequenceNumber, n);
        swapl (&rep.length, n);
-       swaps (&rep.state, n);
+       swapl (&rep.window, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetStateReply), (char *)&rep);
     return client->noClientException;
@@ -192,10 +193,11 @@ ProcRRXineramaGetScreenCount(ClientPtr client)
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
     rep.ScreenCount = RRXineramaScreenCount (pWin->drawable.pScreen);
+    rep.window = stuff->window;
     if(client->swapped) {
        swaps(&rep.sequenceNumber, n);
        swapl(&rep.length, n);
-       swaps(&rep.ScreenCount, n);
+       swapl(&rep.window, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetScreenCountReply), (char *)&rep);
     return client->noClientException;
@@ -223,11 +225,15 @@ ProcRRXineramaGetScreenSize(ClientPtr client)
     rep.sequenceNumber = client->sequence;
     rep.width  = pRoot->drawable.width;
     rep.height = pRoot->drawable.height;
+    rep.window = stuff->window;
+    rep.screen = stuff->screen;
     if(client->swapped) {
        swaps(&rep.sequenceNumber, n);
        swapl(&rep.length, n);
-       swaps(&rep.width, n);
-       swaps(&rep.height, n);
+       swapl(&rep.width, n);
+       swapl(&rep.height, n);
+       swapl(&rep.window, n);
+       swapl(&rep.screen, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetScreenSizeReply), (char *)&rep);
     return client->noClientException;
@@ -351,6 +357,7 @@ SProcRRXineramaGetState(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetStateReq);
+    swapl (&stuff->window, n);
     return ProcRRXineramaGetState(client);
 }
 
@@ -361,6 +368,7 @@ SProcRRXineramaGetScreenCount(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetScreenCountReq);
+    swapl (&stuff->window, n);
     return ProcRRXineramaGetScreenCount(client);
 }
 
@@ -371,6 +379,8 @@ SProcRRXineramaGetScreenSize(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+    swapl (&stuff->window, n);
+    swapl (&stuff->screen, n);
     return ProcRRXineramaGetScreenSize(client);
 }