When receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won"t read the whole data from server, getting out of sync. Affected versions : libXfixes Fixed In Version: libXfixes 5.0.3