_XGetAsyncReply mishandling of 'discard' parameter
Submitted by Owen Taylor
Assigned to Xorg Project Team
if (discard && (rep->generic.length << 2) > len) _XEatData (dpy, (rep->generic.length << 2) - len);
(And two cases similar further down that also needs fixing; the second usage of discard and the error case)
The problem here is that 'len' is the value passed to the calling handler - the number of bytes that has already been read off the buffer. But in the X protocol, rep->generic.length is the number of words after the 32 byte standard sizeof(xReply).
Havoc - I'm wondering if this is:
* Passing discard = True seems to break things; I don't understand * why, because there should be no extra data in an error reply, * right?
in metacity/async-getprop.c. Though I don't understand the connection, since reply->generic.length should be 0 for xError always (making the call to _XGetAsyncReply() a bit unecessary), and also meaning that (rep->generic.length << 2) > len will be FALSE.