xkb: Prevent overflow in XkbSetCompatMap()

The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.

However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.

To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.

CVE-2025-62231, ZDI-CAN-27560

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <[email protected]>
Reviewed-by: Michel Dänzer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>

Author: ofourdan

xkb/xkb.c

@@ -2952,6 +2952,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
         XkbSymInterpretPtr sym;
         unsigned int skipped = 0;
 
+        if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
+            return BadValue;
         if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
             compat->num_si = compat->size_si = req->firstSI + req->nSI;
             compat->sym_interpret = reallocarray(compat->sym_interpret,