From 4607666e18af2c06f2be99cdcfa3dd9450768c33 Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@openbsd.org>
Date: Thu, 19 Jun 2025 05:16:21 +0000
Subject: [PATCH] Check for integer overflow on BigRequest length. Related to
 CVE-2025-49176.

---
 xserver/os/io.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xserver/os/io.c b/xserver/os/io.c
index 26f9161ef..83986af92 100644
--- a/xserver/os/io.c
+++ b/xserver/os/io.c
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
                     needed = get_big_req_len(request, client);
             }
             client->req_len = needed;
+            if (needed > MAXINT >> 2)
+                return -(BadLength);
             needed <<= 2;
         }
         if (gotnow < needed) {