diff --git a/1001-fix-CVE-2025-49175-CVE-2025-49176.patch b/1001-fix-CVE-2025-49175-CVE-2025-49176.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d2bd0253589a57dd9ea0fe3e621530abf787679c
--- /dev/null
+++ b/1001-fix-CVE-2025-49175-CVE-2025-49176.patch
@@ -0,0 +1,40 @@
+From 1026e30b9da2b1569d6125f0ef24d4f9a08a5221 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Sun, 22 Jun 2025 23:55:04 -0400
+Subject: [PATCH 1/1] fix CVE-2025-49175 and CVE-2025-49176
+
+---
+ render/animcur.c | 3 +++
+ render/render.c  | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/render/animcur.c b/render/animcur.c
+index ef27bda..77942d8 100644
+--- a/render/animcur.c
++++ b/render/animcur.c
+@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
+     int rc = BadAlloc, i;
+     AnimCurPtr ac;
+ 
++    if (ncursor <= 0)
++        return BadValue;
++
+     for (i = 0; i < screenInfo.numScreens; i++)
+         if (!GetAnimCurScreen(screenInfo.screens[i]))
+             return BadImplementation;
+diff --git a/render/render.c b/render/render.c
+index 5bc2a20..a8c2da0 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
+     ncursor =
+         (client->req_len -
+          (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
++    if (ncursor <= 0)
++        return BadValue;
+     cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+     if (!cursors)
+         return BadAlloc;
+-- 
+2.41.0
+
diff --git a/1002-fix-CVE-2025-49177.patch b/1002-fix-CVE-2025-49177.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2b83c93ff18ef607de7894b7142d011450174b05
--- /dev/null
+++ b/1002-fix-CVE-2025-49177.patch
@@ -0,0 +1,33 @@
+From 8bbda7e11f328021a1209eafc6d2c7ad2cd77901 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Mon, 23 Jun 2025 01:14:29 -0400
+Subject: [PATCH 1/1] fix CVE-2025-49177
+
+---
+ xfixes/disconnect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c
+index 7793272..209e3d8 100644
+--- a/xfixes/disconnect.c
++++ b/xfixes/disconnect.c
+@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client)
+     ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
+ 
+     REQUEST(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     pDisconnect->disconnect_mode = stuff->disconnect_mode;
+ 
+@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client)
+ 
+     swaps(&stuff->length);
+ 
+-    REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     swapl(&stuff->disconnect_mode);
+ 
+-- 
+2.41.0
+
diff --git a/1003-fix-CVE-2025-49178.patch b/1003-fix-CVE-2025-49178.patch
new file mode 100644
index 0000000000000000000000000000000000000000..37a88821f0f695a555c521a483058ae85d0ec45d
--- /dev/null
+++ b/1003-fix-CVE-2025-49178.patch
@@ -0,0 +1,25 @@
+From b292b85c7b984c131eac1af456b9e0b0fa6b1686 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Mon, 23 Jun 2025 01:20:12 -0400
+Subject: [PATCH 1/1] fix CVE-2025-49178
+
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/os/io.c b/os/io.c
+index 5b7fac3..19d5210 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client)
+      */
+ 
+     gotnow -= needed;
+-    if (!gotnow)
++    if (!gotnow && !oci->ignoreBytes)
+         AvailableInput = oc;
+     if (move_header) {
+         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+-- 
+2.41.0
+
diff --git a/1004-fix-CVE-2025-49179.patch b/1004-fix-CVE-2025-49179.patch
new file mode 100644
index 0000000000000000000000000000000000000000..37b441f84ab56ef6de8c82adc443a9bc7caee880
--- /dev/null
+++ b/1004-fix-CVE-2025-49179.patch
@@ -0,0 +1,38 @@
+From 766f80dc789c38e4e4f1392d4c5ed50a08447a07 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Mon, 23 Jun 2025 01:33:40 -0400
+Subject: [PATCH 1/1] fix CVE-2025-49179
+
+---
+ record/record.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/record/record.c b/record/record.c
+index e123867..7a9e907 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
+ #include "inputstr.h"
+ #include "eventconvert.h"
+ #include "scrnintstr.h"
++#include "../include/opaque.h"
+ 
+ #include <stdio.h>
+ #include <assert.h>
+@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
+     int i;
+     XID recordingClient;
+ 
++    /* LimitClients is 2048 at max, way less that MAXINT */
++    if (stuff->nClients > LimitClients)
++        return BadValue;
++
++    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
++        return BadValue;
++
+     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
+         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
+         return BadLength;
+-- 
+2.41.0
+
diff --git a/1005-fix-CVE-2025-49180.patch b/1005-fix-CVE-2025-49180.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7a48afb60354e514de6cb500e0e26de8917c1dc5
--- /dev/null
+++ b/1005-fix-CVE-2025-49180.patch
@@ -0,0 +1,51 @@
+From 43ad12fa09dd7830797dca93b9156af964bc49cd Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Mon, 23 Jun 2025 01:37:35 -0400
+Subject: [PATCH 1/1] fix CVE-2025-49180
+
+---
+ hw/xfree86/modes/xf86RandR12.c | 6 ++++--
+ randr/rrproviderproperty.c     | 3 +++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
+index 39a38c7..8f97e79 100644
+--- a/hw/xfree86/modes/xf86RandR12.c
++++ b/hw/xfree86/modes/xf86RandR12.c
+@@ -2142,7 +2142,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
+     /* If we don't have any property handler, then we don't care what the
+      * user is setting properties to.
+      */
+-    if (config->provider_funcs->set_property == NULL)
++    if (config->provider_funcs == NULL ||
++        config->provider_funcs->set_property == NULL)
+         return TRUE;
+ 
+     /*
+@@ -2160,7 +2161,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
+     ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
+     xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ 
+-    if (config->provider_funcs->get_property == NULL)
++    if (config->provider_funcs == NULL ||
++        config->provider_funcs->get_property == NULL)
+         return TRUE;
+ 
+     /* Should be safe even w/o vtSema */
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index 90c5a9a..44cb5c7 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -180,6 +180,9 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
+     if (mode == PropModeReplace || len > 0) {
+         void *new_data = NULL, *old_data = NULL;
+ 
++	if (total_len > MAXINT / size_in_bytes)
++            return BadValue;
++
+         total_size = total_len * size_in_bytes;
+         new_value.data = (void *) malloc(total_size);
+         if (!new_value.data && total_size) {
+-- 
+2.41.0
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index bf7c7a0add4ada99e70900b6097d2bb175e2a697..98b6339a8fa4fe00ffe779173b85c50d56e1a4c2 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -1,4 +1,4 @@
-%define anolis_release 14
+%define anolis_release 15
 # X.org requires lazy relocations to work.
 %undefine _hardened_build
 %undefine _strict_symbol_defs_build
@@ -45,6 +45,17 @@ Patch3:     0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
 # Fix compilation error on i686 (21.1.14+)
 # https://gitlab.freedesktop.org/xorg/xserver/-/commit/8407181c7dfe14086d99697af0b86120320ab73e
 Patch4:     0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee
+Patch5:     1001-fix-CVE-2025-49175-CVE-2025-49176.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af
+Patch6:     1002-fix-CVE-2025-49177.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2
+Patch7:     1003-fix-CVE-2025-49178.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4
+Patch8:     1004-fix-CVE-2025-49179.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d
+Patch9:     1005-fix-CVE-2025-49180.patch
 
 BuildRequires:  bison
 BuildRequires:  flex
@@ -418,6 +429,10 @@ find %{buildroot} -type f -name '*.la' -delete
 
 
 %changelog
+* Mon Jun 23 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 21.1.13-15
+- Add patchs to fix CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178
+  CVE-2025-49179 CVE-2025-49180
+
 * Tue  Oct 8 2024 Tingyin Duan <tingyin.duan@qq.com> - 21.1.13-14
 - initial from Fedora Rawhide