From c430c829d58a79a5d75ce43547fb649126baed01 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Tue, 17 Jun 2025 16:22:53 +0200
Subject: [PATCH] render: fix CVE-2025-49175

Protect against clients sending a series of zero cursors.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 render/animcur.c |  3 +++
 render/render.c  | 10 ++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/render/animcur.c b/render/animcur.c
index 752e2d4bf..63501c959 100644
--- a/render/animcur.c
+++ b/render/animcur.c
@@ -298,6 +298,9 @@ int
 AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
                  CursorPtr *ppCursor, ClientPtr client, XID cid)
 {
+    if (ncursor <= 0)
+        return BadValue;
+
     CursorPtr pCursor;
     int rc = BadAlloc, i;
     AnimCurPtr ac;
diff --git a/render/render.c b/render/render.c
index 9384ae59b..5e1e1983d 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1784,10 +1784,8 @@ static int
 ProcRenderCreateAnimCursor(ClientPtr client)
 {
     REQUEST(xRenderCreateAnimCursorReq);
-    CursorPtr *cursors;
     CARD32 *deltas;
     CursorPtr pCursor;
-    int ncursor;
     xAnimCursorElt *elt;
     int i;
     int ret;
@@ -1796,10 +1794,14 @@ ProcRenderCreateAnimCursor(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->cid, client);
     if (client->req_len & 1)
         return BadLength;
-    ncursor =
+
+    int ncursor =
         (client->req_len -
          (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
-    cursors = calloc(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+    if (ncursor <= 0)
+        return BadValue;
+
+    CursorPtr *cursors = calloc(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
     if (!cursors)
         return BadAlloc;
     deltas = (CARD32 *) (cursors + ncursor);