From c34f59ee152def40343c68fbdc3ee8f71a0d9575 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 23 Jun 2025 15:34:14 +0200
Subject: [PATCH] randr: Do not leak the provider property

When changing the RandR provider property, if the property does not
already exists, it is created.

In case of error, however, it doesn't get freed, leading to a leak of
the allocated property.

Make sure to free the RandR property in case of error if was to be
added.

Found by OpenScanHub.

Fixes: 3c3a4b767 - randr: Check for overflow in RRChangeProviderProperty()
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2035>
---
 randr/rrproviderproperty.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index 0c3dcd1bc..e84e0dff3 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -182,8 +182,11 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
 
     if (mode == PropModeReplace || len > 0) {
         void *new_data = NULL, *old_data = NULL;
-        if (total_len > MAXINT / size_in_bytes)
+        if (total_len > MAXINT / size_in_bytes) {
+            if (add)
+                RRDestroyProviderProperty(prop);
             return BadValue;
+        }
         total_size = total_len * size_in_bytes;
         new_value.data = (void *) malloc(total_size);
         if (!new_value.data && total_size) {