From c001e1330a70886cf8f108bf51a325e227a45d71 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 7 Dec 2025 15:57:53 -0800
Subject: [PATCH] dix: set errorValue correctly when XID lookup fails in
 ChangeGCXIDs()

dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.

Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ac42c39145849588544ad10812e5a8ae76bf1114)
(cherry picked from commit 7f1050de78239daa643483f719ba9cecdf427265)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
---
 dix/gc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dix/gc.c b/dix/gc.c
index 47bab00bd..43244895a 100644
--- a/dix/gc.c
+++ b/dix/gc.c
@@ -441,6 +441,7 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
         vals[i].val = pC32[i];
     for (i = 0; i < ARRAY_SIZE(xidfields); ++i) {
         int offset, rc;
+        XID id;
 
         if (!(mask & xidfields[i].mask))
             continue;
@@ -449,11 +450,13 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
             vals[offset].ptr = NullPixmap;
             continue;
         }
-        rc = dixLookupResourceByType(&vals[offset].ptr, vals[offset].val,
+        /* save the id, since dixLookupResourceByType overwrites &vals[offset] */
+        id = vals[offset].val;
+        rc = dixLookupResourceByType(&vals[offset].ptr, id,
                                      xidfields[i].type, client,
                                      xidfields[i].access_mode);
         if (rc != Success) {
-            client->errorValue = vals[offset].val;
+            client->errorValue = id;
             return rc;
         }
     }