record: Check for overflow in RecordSanityCheckRegisterClients()

The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.

A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.

To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.

This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.

CVE-2025-49179

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>

record/record.c

@@ -46,6 +46,7 @@ and Jim Haggerty of Metheus.
 #include "dix/resource_priv.h"
 #include "miext/extinit_priv.h"
 #include "os/client_priv.h"
+#include "os/osdep.h"
 #include "Xext/panoramiX.h"
 #include "Xext/panoramiXsrv.h"
 
@@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
     int i;
     XID recordingClient;
 
+    /* LimitClients is 2048 at max, way less that MAXINT */
+    if (stuff->nClients > LimitClients)
+        return BadValue;
+
+    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
+        return BadValue;
+
     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
         return BadLength;