The handling of appending/prepending properties was incorrect, with at least two bugs: the property length was set to the length of the new part only, i.e. appending or prepending N elements to a property with P existing elements always resulted in the property having N elements instead of N + P.
Second, when pre-pending a value to a property, the offset for the old values was incorrect, leaving the new property with potentially uninitalized values and/or resulting in OOB memory writes. For example, prepending a 3 element value to a 5 element property would result in this 8 value array:
[N, N, N, ?, ?, P, P, P ] P, P
The XI2 code is a copy/paste of the RandR code, so the bug exists in both.
This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative