src/glx/glx_query.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)
Index: mesa-24.3.0-rc1/src/glx/glx_query.c
===================================================================
--- mesa-24.3.0-rc1.orig/src/glx/glx_query.c
+++ mesa-24.3.0-rc1/src/glx/glx_query.c
@@ -56,6 +56,13 @@ __glXQueryServerString(Display * dpy, CA
    /* The spec doesn't mention this, but the Xorg server replies with
     * a string already terminated with '\0'. */
    uint32_t len = xcb_glx_query_server_string_string_length(reply);
+   /* Allow a max of 64kb string length */
+   size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
    char *buf = malloc(len);
    memcpy(buf, xcb_glx_query_server_string_string(reply), len);
    free(reply);
@@ -83,6 +90,12 @@ __glXGetString(Display * dpy, CARD32 con
    /* The spec doesn't mention this, but the Xorg server replies with
     * a string already terminated with '\0'. */
    uint32_t len = xcb_glx_get_string_string_length(reply);
+   size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
    char *buf = malloc(len);
    memcpy(buf, xcb_glx_get_string_string(reply), len);
    free(reply);