Fix integer underflow in XRecordRegisterClients()

Reported by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.

xserver/record/record.c

@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
 }                               /* SProcRecordQueryVersion */
 
 static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
 {
     int i;
     XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
     swapl(&stuff->nRanges);
     pClientID = (XID *) &stuff[1];
     if (stuff->nClients >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
         return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++) {
         swapl(pClientID);
     }
     if (stuff->nRanges >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
         - stuff->nClients)
         return BadLength;
     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
 
     swaps(&stuff->length);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
         return status;
     return ProcRecordCreateContext(client);
 }                               /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
 
     swaps(&stuff->length);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
         return status;
     return ProcRecordRegisterClients(client);
 }                               /* SProcRecordRegisterClients */