From 8de5a9b2be31d14dcce3795f919b353d62e56897 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 14:59:46 +0200
Subject: [PATCH xserver 7/7] xfree86: Check for RandR provider functions

Changing XRandR provider properties if the driver has set no provider
function such as the modesetting driver will cause a NULL pointer
dereference and a crash of the Xorg server.

Related to CVE-2025-49180

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0235121c6a7a6eb247e2addb3b41ed6ef566853d)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
 hw/xfree86/modes/xf86RandR12.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index f220ef192..ccb7f629c 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -2133,7 +2133,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
     /* If we don't have any property handler, then we don't care what the
      * user is setting properties to.
      */
-    if (config->provider_funcs->set_property == NULL)
+    if (config->provider_funcs == NULL ||
+        config->provider_funcs->set_property == NULL)
         return TRUE;
 
     /*
@@ -2151,7 +2152,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
     ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
     xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
 
-    if (config->provider_funcs->get_property == NULL)
+    if (config->provider_funcs == NULL ||
+        config->provider_funcs->get_property == NULL)
         return TRUE;
 
     /* Should be safe even w/o vtSema */
-- 
2.49.0