Fix invalid read in XIGrabDevice.

Miscalculation of length caused Data() to memcpy too many bytes.

==2865== Invalid read of size 1
==2865==    at 0x4A07480: memcpy (mc_replace_strmem.c:602)
==2865==    by 0x544271E: XIGrabDevice (XIGrabDevice.c:69)
==2865==    by 0x400B0A: main (gnome642481.c:56)
==2865==  Address 0x642f614 is 0 bytes after a block of size 20 alloc'd
==2865==    at 0x4A04896: calloc (vg_replace_malloc.c:418)
==2865==    by 0x54425D3: XIGrabDevice (XIGrabDevice.c:65)
==2865==    by 0x400B0A: main (gnome642481.c:56)

SetReqLen() expects 4-byte units.
Data() expects bytes.

Gnome Bug 642481 <https://bugzilla.gnome.org/show_bug.cgi?id=642481>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c
index 985d3f1..97ab971 100644
--- a/src/XIGrabDevice.c
+++ b/src/XIGrabDevice.c
@@ -61,8 +61,8 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
 
     /* masks.mask_len is in bytes, but we need 4-byte units on the wire,
      * and they need to be padded with 0 */
-    len = req->mask_len * 4;
-    buff = calloc(1, len);
+    len = req->mask_len;
+    buff = calloc(1, len * 4);
     memcpy(buff, mask->mask, mask->mask_len);
 
     SetReqLen(req, len, len);