From 9a6399682bc37ede3693d8873c485acaef6aa359 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 23 Jun 2025 15:34:14 +0200
Subject: [PATCH] randr: Do not leak the provider property

When changing the RandR provider property, if the property does not
already exists, it is created.

In case of error, however, it doesn't get freed, leading to a leak of
the allocated property.

Make sure to free the RandR property in case of error if was to be
added.

Found by OpenScanHub.

Fixes: 3c3a4b767 - randr: Check for overflow in RRChangeProviderProperty()
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit c34f59ee152def40343c68fbdc3ee8f71a0d9575)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2041>
---
 randr/rrproviderproperty.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index 3deb0cbfd..00e27556b 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -179,8 +179,11 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
 
     if (mode == PropModeReplace || len > 0) {
         void *new_data = NULL, *old_data = NULL;
-        if (total_len > MAXINT / size_in_bytes)
+        if (total_len > MAXINT / size_in_bytes) {
+            if (add)
+                RRDestroyProviderProperty(prop);
             return BadValue;
+        }
         total_size = total_len * size_in_bytes;
         new_value.data = (void *) malloc(total_size);
         if (!new_value.data && total_size) {