From ca652633c02ceb054143207d71d24a8123733c27 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 20 May 2025 15:18:19 +0200
Subject: [PATCH xserver 1/2] randr: Check for overflow in
 RRChangeProviderProperty()

A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().

To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.

CVE-2025-49180

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 randr/rrproviderproperty.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xorg-server-21.1.15/randr/rrproviderproperty.c
===================================================================
--- xorg-server-21.1.15.orig/randr/rrproviderproperty.c
+++ xorg-server-21.1.15/randr/rrproviderproperty.c
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr p
 
     if (mode == PropModeReplace || len > 0) {
         void *new_data = NULL, *old_data = NULL;
-
+        if (total_len > MAXINT / size_in_bytes)
+            return BadValue;
         total_size = total_len * size_in_bytes;
         new_value.data = (void *) malloc(total_size);
         if (!new_value.data && total_size) {