xwayland: Check for outputs before lease devices

In xwl_randr_request_lease(), the code checks first for leased device,
and then checks for existing output for lease.

The former assumes there are outputs for lease whereas the latter checks
for the output, connector and lease.

So if there is any existing rrLease->outputs[]->devPrivate unset, the
code would crash on a NULL pointer dereference on the first sanity check
before having a chance to reach the second check that would have caught
the problem.

Invert the sanity checks so that we would catch this first and return a
BadValue instead of possibly segfaulting.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Xaver Hugl <xaver.hugl@kde.org>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1482>

hw/xwayland/xwayland-drm-lease.c

@@ -116,6 +116,13 @@ xwl_randr_request_lease(ClientPtr client, ScreenPtr screen, RRLeasePtr rrLease)
         return BadMatch;
     }
 
+    for (i = 0; i < rrLease->numOutputs; ++i) {
+        output = rrLease->outputs[i]->devPrivate;
+        if (!output || !output->lease_connector || output->lease) {
+            return BadValue;
+        }
+    }
+
     xorg_list_for_each_entry(device_data, &xwl_screen->drm_lease_devices, link) {
         Bool connectors_of_device = FALSE;
         for (i = 0; i < rrLease->numOutputs; ++i) {
@@ -134,13 +141,6 @@ xwl_randr_request_lease(ClientPtr client, ScreenPtr screen, RRLeasePtr rrLease)
         }
     }
 
-    for (i = 0; i < rrLease->numOutputs; ++i) {
-        output = rrLease->outputs[i]->devPrivate;
-        if (!output || !output->lease_connector || output->lease) {
-            return BadValue;
-        }
-    }
-
     req = wp_drm_lease_device_v1_create_lease_request(
             lease_device->drm_lease_device);
     lease_private = calloc(1, sizeof(struct xwl_drm_lease));