untrusted comment: verify with openbsd-76-base.pub
RWTkuwn4mbq8oq1zGwct1oSMMe0Tncsl8gZCMEaHJCn1syZYXTpJW4Z8Q04OvRHSl4J4eAVfNVKPYCAo0gxCBpmn1b8VRGsbDw4=

OpenBSD 7.6 errata 020, July 1, 2025:

Previous fix for X11 server was incomplete.  
CVE-2025-49176

Apply by doing:
    signify -Vep /etc/signify/openbsd-76-base.pub -x 020_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

And then rebuild and install the X server:
    cd /usr/xenocara/xserver
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

Index: xserver/os/io.c
===================================================================
RCS file: /cvs/xenocara/xserver/os/io.c,v
diff -u -p -r1.19.14.1 io.c
--- xserver/os/io.c	17 Jun 2025 13:16:43 -0000	1.19.14.1
+++ xserver/os/io.c	19 Jun 2025 16:47:04 -0000
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
                     needed = get_big_req_len(request, client);
             }
             client->req_len = needed;
+            if (needed > MAXINT >> 2)
+                return -(BadLength);
             needed <<= 2;
         }
         if (gotnow < needed) {