poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2022-3551
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>

 From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Wed, 13 Jul 2022 11:23:09 +1000
 Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName

 GetComponentByName returns an allocated string, so let's free that if we
 fail somewhere.

 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
  xkb/xkb.c | 26 ++++++++++++++++++++------
  1 file changed, 20 insertions(+), 6 deletions(-)

 diff --git a/xkb/xkb.c b/xkb/xkb.c
 index 4692895db..b79a269e3 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
 @@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
      xkb = dev->key->xkbInfo->desc;
      status = Success;
      str = (unsigned char *) &stuff[1];
 -    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
 -        return BadMatch;
 +    {
 +        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
 +        if (keymap) {
 +            free(keymap);
 +            return BadMatch;
 +        }
 +    }
      names.keycodes = GetComponentSpec(&str, TRUE, &status);
      names.types = GetComponentSpec(&str, TRUE, &status);
      names.compat = GetComponentSpec(&str, TRUE, &status);
      names.symbols = GetComponentSpec(&str, TRUE, &status);
      names.geometry = GetComponentSpec(&str, TRUE, &status);
 -    if (status != Success)
 +    if (status == Success) {
 +        len = str - ((unsigned char *) stuff);
 +        if ((XkbPaddedSize(len) / 4) != stuff->length)
 +            status = BadLength;
 +    }
 +
 +    if (status != Success) {
 +        free(names.keycodes);
 +        free(names.types);
 +        free(names.compat);
 +        free(names.symbols);
 +        free(names.geometry);
          return status;
 -    len = str - ((unsigned char *) stuff);
 -    if ((XkbPaddedSize(len) / 4) != stuff->length)
 -        return BadLength;
 +    }

      CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
      CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
 --
 2.34.1
	CVE: CVE-2022-3551
	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@arm.com>

	From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
	From: Peter Hutterer <peter.hutterer@who-t.net>
	Date: Wed, 13 Jul 2022 11:23:09 +1000
	Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName

	GetComponentByName returns an allocated string, so let's free that if we
	fail somewhere.

	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	---
	xkb/xkb.c \| 26 ++++++++++++++++++++------
	1 file changed, 20 insertions(+), 6 deletions(-)

	diff --git a/xkb/xkb.c b/xkb/xkb.c
	index 4692895db..b79a269e3 100644
	--- a/xkb/xkb.c
	+++ b/xkb/xkb.c
	@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
	xkb = dev->key->xkbInfo->desc;
	status = Success;
	str = (unsigned char *) &stuff[1];
	- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
	- return BadMatch;
	+ {
	+ char keymap = GetComponentSpec(&str, TRUE, &status); / keymap, unsupported */
	+ if (keymap) {
	+ free(keymap);
	+ return BadMatch;
	+ }
	+ }
	names.keycodes = GetComponentSpec(&str, TRUE, &status);
	names.types = GetComponentSpec(&str, TRUE, &status);
	names.compat = GetComponentSpec(&str, TRUE, &status);
	names.symbols = GetComponentSpec(&str, TRUE, &status);
	names.geometry = GetComponentSpec(&str, TRUE, &status);
	- if (status != Success)
	+ if (status == Success) {
	+ len = str - ((unsigned char *) stuff);
	+ if ((XkbPaddedSize(len) / 4) != stuff->length)
	+ status = BadLength;
	+ }
	+
	+ if (status != Success) {
	+ free(names.keycodes);
	+ free(names.types);
	+ free(names.compat);
	+ free(names.symbols);
	+ free(names.geometry);
	return status;
	- len = str - ((unsigned char *) stuff);
	- if ((XkbPaddedSize(len) / 4) != stuff->length)
	- return BadLength;
	+ }

	CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
	CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
	--
	2.34.1