From 4202b23ed86405a4cebfdcf239df1b023c1d10ca Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@guitar.keithp.com>
Date: Mon, 27 Nov 2006 21:40:24 -0800
Subject: [PATCH] Destroying RandR crtc or output overwrites memory.

RRCrtcDestroyResource and RROutputDestroyResource had matching
bugs that would overwrite memory past the end of the storage
of the crtc or output arrays. Oops.
---
 randr/rrcrtc.c   | 2 +-
 randr/rroutput.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 212352c15..e8a7b79e1 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -344,7 +344,7 @@ RRCrtcDestroyResource (pointer value, XID pid)
 	    if (pScrPriv->crtcs[i] == crtc)
 	    {
 		memmove (pScrPriv->crtcs + i, pScrPriv->crtcs + i + 1,
-			 (pScrPriv->numCrtcs - (i - 1)) * sizeof (RRCrtcPtr));
+			 (pScrPriv->numCrtcs - (i + 1)) * sizeof (RRCrtcPtr));
 		--pScrPriv->numCrtcs;
 		break;
 	    }
diff --git a/randr/rroutput.c b/randr/rroutput.c
index f38f5826a..430f8bdaa 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -327,7 +327,7 @@ RROutputDestroyResource (pointer value, XID pid)
 	    if (pScrPriv->outputs[i] == output)
 	    {
 		memmove (pScrPriv->outputs + i, pScrPriv->outputs + i + 1,
-			 (pScrPriv->numOutputs - (i - 1)) * sizeof (RROutputPtr));
+			 (pScrPriv->numOutputs - (i + 1)) * sizeof (RROutputPtr));
 		--pScrPriv->numOutputs;
 		break;
 	    }