diff --git a/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch b/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch
new file mode 100644
index 0000000..32b0106
--- /dev/null
+++ b/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch
@@ -0,0 +1,56 @@
+From 85d9f7932353b6e0986796dbb09b7f778f9cc9aa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
+Date: Fri, 24 Jul 2020 18:21:05 +0200
+Subject: [PATCH xserver] glamor: Fix glamor_poly_fill_rect_gl
+ xRectangle::width/height handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(Using GLSL 1.30 or newer)
+
+The width/height members of xRectangle are unsigned, but they were
+being interpreted as signed when converting to floating point for the
+vertex shader, producing incorrect drawing for values > 32767.
+
+Solve this by passing through the values as integers, and masking off
+the upper 16 bits in the vertex shader (which could be 1 due to sign
+extension).
+
+Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
+---
+ glamor/glamor_rects.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/glamor/glamor_rects.c b/glamor/glamor_rects.c
+index 6cbb040c1..5cac40d49 100644
+--- a/glamor/glamor_rects.c
++++ b/glamor/glamor_rects.c
+@@ -27,9 +27,10 @@
+ static const glamor_facet glamor_facet_polyfillrect_130 = {
+     .name = "poly_fill_rect",
+     .version = 130,
+-    .vs_vars = "attribute vec4 primitive;\n",
+-    .vs_exec = ("       vec2 pos = primitive.zw * vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n"
+-                GLAMOR_POS(gl_Position, (primitive.xy + pos))),
++    .vs_vars = "attribute ivec4 primitive;\n",
++    .vs_exec = ("       vec2 pos = vec2(primitive.zw & ivec2(0xffff));\n"
++                "       pos *= vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n"
++                GLAMOR_POS(gl_Position, (vec2(primitive.xy) + pos))),
+ };
+ 
+ static const glamor_facet glamor_facet_polyfillrect_120 = {
+@@ -81,8 +82,8 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable,
+ 
+         glEnableVertexAttribArray(GLAMOR_VERTEX_POS);
+         glVertexAttribDivisor(GLAMOR_VERTEX_POS, 1);
+-        glVertexAttribPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT, GL_FALSE,
+-                              4 * sizeof (short), vbo_offset);
++        glVertexAttribIPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT,
++                               4 * sizeof (short), vbo_offset);
+ 
+         memcpy(v, prect, nrect * sizeof (xRectangle));
+ 
+-- 
+2.26.2
+
diff --git a/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch b/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch
new file mode 100644
index 0000000..8cab652
--- /dev/null
+++ b/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch
@@ -0,0 +1,84 @@
+From 23c55ec32973e0a75d723e3f37769dd711c9c59c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
+Date: Wed, 22 Jul 2020 18:20:14 +0200
+Subject: [PATCH xserver] xwayland: Hold a pixmap reference in struct
+ xwl_present_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the log of the commit below, I claimed this wasn't necessary on the
+1.20 branch, but this turned out to be wrong: It meant that
+event->buffer could already be destroyed in xwl_present_free_event,
+resulting in use-after-free and likely a crash.
+
+Fixes: 22c0808ac88f "xwayland: Free all remaining events in
+                     xwl_present_cleanup"
+Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
+---
+ hw/xwayland/xwayland-present.c | 17 +++++++++++++----
+ hw/xwayland/xwayland.h         |  2 +-
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
+index 2cec63f59..f003170a9 100644
+--- a/hw/xwayland/xwayland-present.c
++++ b/hw/xwayland/xwayland-present.c
+@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event)
+     if (!event)
+         return;
+ 
+-    if (event->buffer)
+-        wl_buffer_set_user_data(event->buffer, NULL);
++    if (event->pixmap) {
++        if (!event->buffer_released) {
++            struct wl_buffer *buffer =
++                xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL);
++
++            wl_buffer_set_user_data(buffer, NULL);
++        }
++
++        dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id);
++    }
+ 
+     xorg_list_del(&event->list);
+     free(event);
+@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
+         return BadAlloc;
+ 
+     event->event_id = event_id;
+-    event->buffer = NULL;
++    event->pixmap = NULL;
+     event->xwl_present_window = xwl_present_window;
+     event->target_msc = msc;
+ 
+@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window,
+     if (!event)
+         return FALSE;
+ 
++    pixmap->refcnt++;
+     buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created);
+ 
+     event->event_id = event_id;
+     event->xwl_present_window = xwl_present_window;
+-    event->buffer = buffer;
++    event->pixmap = pixmap;
+     event->target_msc = target_msc;
+     event->pending = TRUE;
+     event->abort = FALSE;
+diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
+index bc5836ec4..b9495b313 100644
+--- a/hw/xwayland/xwayland.h
++++ b/hw/xwayland/xwayland.h
+@@ -215,7 +215,7 @@ struct xwl_present_event {
+     Bool buffer_released;
+ 
+     struct xwl_present_window *xwl_present_window;
+-    struct wl_buffer *buffer;
++    PixmapPtr pixmap;
+ 
+     struct xorg_list list;
+ };
+-- 
+2.26.2
+
diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec
index 2ce3223..a96c2a0 100644
--- a/SPECS/xorg-x11-server.spec
+++ b/SPECS/xorg-x11-server.spec
@@ -46,7 +46,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.8
-Release:   4%{?gitdate:.%{gitdate}}%{?dist}
+Release:   5%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -115,6 +115,8 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
 Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
 Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
 Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
+Patch204: 0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch
+Patch205: 0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch
 
 BuildRequires: systemtap-sdt-devel
 BuildRequires: git
@@ -558,6 +560,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 
 %changelog
+* Tue Aug  4 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-5
+- xwayland: Hold a pixmap reference in struct xwl_present_event
+  Related: #1728684
+- glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling
+  Resolves: #1740250
+
 * Fri Jul 10 2020 Ray Strode <rstrode@redhat.com> - 1.20.8-4
 - Don't switch VTs in the exit path, if killed on inactive VT
   Related: #1618481