--- /dev/null
+From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Tue, 28 Oct 2014 10:30:04 +0100
+Subject: [PATCH 14/33] render: check request size before reading it
+ [CVE-2014-8100 1/2]
+
+Otherwise we may be reading outside of the client request.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ render/render.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/render/render.c b/render/render.c
+index e3031da..200e0c8 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
+
+ REQUEST(xRenderQueryVersionReq);
+
++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+ pRenderClient->major_version = stuff->majorVersion;
+ pRenderClient->minor_version = stuff->minorVersion;
+
+- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+-
+ if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
+ (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
+ rep.majorVersion = stuff->majorVersion;
+--
+1.7.9.2
+