new file mode 100644
@@ -0,0 +1,92 @@
+From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 7 Apr 2025 16:13:34 +0200
+Subject: [PATCH] os: Do not overflow the integer size with BigRequest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The BigRequest extension allows requests larger than the 16-bit length
+limit.
+
+It uses integers for the request length and checks for the size not to
+exceed the maxBigRequestSize limit, but does so after translating the
+length to integer by multiplying the given size in bytes by 4.
+
+In doing so, it might overflow the integer size limit before actually
+checking for the overflow, defeating the purpose of the test.
+
+To avoid the issue, make sure to check that the request size does not
+overflow the maxBigRequestSize limit prior to any conversion.
+
+The caller Dispatch() function however expects the return value to be in
+bytes, so we cannot just return the converted value in case of error, as
+that would also overflow the integer size.
+
+To preserve the existing API, we use a negative value for the X11 error
+code BadLength as the function only return positive values, 0 or -1 and
+update the caller Dispatch() function to take that case into account to
+return the error code to the offending client.
+
+CVE-2025-49176
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9]
+CVE: CVE-2025-49176
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/dispatch.c | 9 +++++----
+ os/io.c | 4 ++++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index b3e5feacc2..2308cfe6d1 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -527,9 +527,10 @@ Dispatch(void)
+
+ /* now, finally, deal with client requests */
+ result = ReadRequestFromClient(client);
+- if (result <= 0) {
+- if (result < 0)
+- CloseDownClient(client);
++ if (result == 0)
++ break;
++ else if (result == -1) {
++ CloseDownClient(client);
+ break;
+ }
+
+@@ -550,7 +551,7 @@ Dispatch(void)
+ client->index,
+ client->requestBuffer);
+ #endif
+- if (result > (maxBigRequestSize << 2))
++ if (result < 0 || result > (maxBigRequestSize << 2))
+ result = BadLength;
+ else {
+ result = XaceHookDispatch(client, client->majorOp);
+diff --git a/os/io.c b/os/io.c
+index 1fffaf62c7..3e39c10e6f 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -300,6 +300,10 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2) {
++ /* Check for potential integer overflow */
++ return -(BadLength);
++ }
+ needed <<= 2; /* needed is in bytes now */
+ }
+ if (gotnow < needed) {
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,37 @@
+From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1]
+CVE: CVE-2025-49176 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index e7b76b9cea..167b40a720 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2)
++ return -(BadLength);
+ needed <<= 2;
+ }
+ if (gotnow < needed) {
+--
+GitLab
+
@@ -37,6 +37,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2025-26601-4.patch \
file://CVE-2022-49737.patch \
file://CVE-2025-49175.patch \
+ file://CVE-2025-49176-1.patch \
+ file://CVE-2025-49176-2.patch \
"
SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"