From 598994a856fc54ddeb465266c167285906ee6204 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 17 Apr 2026 12:03:59 +1000
Subject: [PATCH] Xext/xres: fix undefined behavior in ConstructClientIdValue

The CARD32 *value pointer was computed as (ptr + sizeof(rep))
BEFORE the NULL check for ptr. If AddFragment returns NULL, this
performs pointer arithmetic on a null pointer, which is undefined
behavior per C11 section 6.5.6 paragraph 8. With aggressive compiler
optimizations (e.g., GCC -O2 with LTO), the compiler could reason
that since ptr was used in arithmetic, it must be non-NULL, and
optimize away the NULL check entirely. This would then cause a
write to an invalid address on OOM.

Co-Authored-by: Claude Code <noreply@anthropic.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2181>
---
 Xext/xres.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Xext/xres.c b/Xext/xres.c
index 96d5eba7c..a8c9cd01a 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -490,12 +490,14 @@ ConstructClientIdValue(ClientPtr sendClient, ClientPtr client, CARD32 mask,
         if (pid != -1) {
             void *ptr = AddFragment(&ctx->response,
                                     sizeof(rep) + sizeof(CARD32));
-            CARD32 *value = (void*) ((char*) ptr + sizeof(rep));
+            CARD32 *value;
 
             if (!ptr) {
                 return FALSE;
             }
 
+            value = (void*) ((char*) ptr + sizeof(rep));
+
             rep.spec.mask = X_XResLocalClientPIDMask;
             rep.length = 4;