| From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001 |
| From: Hitendra Prajapati <hprajapati@mvista.com> |
| Date: Wed, 2 Nov 2022 17:04:15 +0530 |
| Subject: [PATCH] CVE-2022-3554 |
| |
| Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef] |
| CVE: CVE-2022-3554 |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| |
| fix a memory leak in XRegisterIMInstantiateCallback |
| |
| Analysis: |
| |
| _XimRegisterIMInstantiateCallback() opens an XIM and closes it using |
| the internal function pointers, but the internal close function does |
| not free the pointer to the XIM (this would be done in XCloseIM()). |
| |
| Report/patch: |
| |
| Date: Mon, 03 Oct 2022 18:47:32 +0800 |
| From: Po Lu <luangruo@yahoo.com> |
| To: xorg-devel@lists.x.org |
| Subject: Re: Yet another leak in Xlib |
| |
| For reference, here's how I'm calling XRegisterIMInstantiateCallback: |
| |
| XSetLocaleModifiers (""); |
| XRegisterIMInstantiateCallback (compositor.display, |
| XrmGetDatabase (compositor.display), |
| (char *) compositor.resource_name, |
| (char *) compositor.app_name, |
| IMInstantiateCallback, NULL); |
| and XMODIFIERS is: |
| |
| @im=ibus |
| |
| Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net> |
| --- |
| modules/im/ximcp/imInsClbk.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c |
| index 961aaba..0a8a874 100644 |
| --- a/modules/im/ximcp/imInsClbk.c |
| +++ b/modules/im/ximcp/imInsClbk.c |
| @@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback( |
| if( xim ) { |
| lock = True; |
| xim->methods->close( (XIM)xim ); |
| + /* XIMs must be freed manually after being opened; close just |
| + does the protocol to deinitialize the IM. */ |
| + XFree( xim ); |
| lock = False; |
| icb->call = True; |
| callback( display, client_data, NULL ); |
| -- |
| 2.25.1 |
| |