composite: Handle failure to redirect in compRedirectWindow()

The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.

In that case, compRedirectWindow() will return a BadAlloc error.

However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.

That causes a use of uninitialized pointer later.

The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.

CVE-2025-26599, ZDI-CAN-25851

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>

composite/compalloc.c

@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
     WindowPtr pLayerWin;
     Bool anyMarked = FALSE;
+    int status = Success;
 
     if (pWin == cs->pOverlayWin) {
         return Success;
@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
 
     if (!compCheckRedirect(pWin)) {
         FreeResource(ccw->id, X11_RESTYPE_NONE);
-        return BadAlloc;
+        status = BadAlloc;
     }
 
     if (anyMarked)
         compHandleMarkedWindows(pWin, pLayerWin);
 
-    return Success;
+    return status;
 }
 
 void