Created attachment 69207 [details] [review]
don't memmove the last word
MakeBigReq() needs to make the request one 32-bit word larger (to squeeze in a larger length value). It saves the last word in _BRdat, to correctly append with a bufmax check in Data32(), but still memmoves the every word in the request after the first word. That is one too many words. One overflows (in certain situations).
As this is a macro, of course all libraries that use the macro or SetReqLen to create large requests will need to be recompiled.
The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that bug.
Confirmed and I have a reliable reproducer here. Requirement for the overrun is that the fixed-length bit of the request is aligned at the end of the dpy buffer.
Patch pushed to git master: