Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame^] | 1 | CVE: CVE-2022-3551 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 |
| 6 | From: Peter Hutterer <peter.hutterer@who-t.net> |
| 7 | Date: Wed, 13 Jul 2022 11:23:09 +1000 |
| 8 | Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName |
| 9 | |
| 10 | GetComponentByName returns an allocated string, so let's free that if we |
| 11 | fail somewhere. |
| 12 | |
| 13 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 14 | --- |
| 15 | xkb/xkb.c | 26 ++++++++++++++++++++------ |
| 16 | 1 file changed, 20 insertions(+), 6 deletions(-) |
| 17 | |
| 18 | diff --git a/xkb/xkb.c b/xkb/xkb.c |
| 19 | index 4692895db..b79a269e3 100644 |
| 20 | --- a/xkb/xkb.c |
| 21 | +++ b/xkb/xkb.c |
| 22 | @@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) |
| 23 | xkb = dev->key->xkbInfo->desc; |
| 24 | status = Success; |
| 25 | str = (unsigned char *) &stuff[1]; |
| 26 | - if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ |
| 27 | - return BadMatch; |
| 28 | + { |
| 29 | + char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ |
| 30 | + if (keymap) { |
| 31 | + free(keymap); |
| 32 | + return BadMatch; |
| 33 | + } |
| 34 | + } |
| 35 | names.keycodes = GetComponentSpec(&str, TRUE, &status); |
| 36 | names.types = GetComponentSpec(&str, TRUE, &status); |
| 37 | names.compat = GetComponentSpec(&str, TRUE, &status); |
| 38 | names.symbols = GetComponentSpec(&str, TRUE, &status); |
| 39 | names.geometry = GetComponentSpec(&str, TRUE, &status); |
| 40 | - if (status != Success) |
| 41 | + if (status == Success) { |
| 42 | + len = str - ((unsigned char *) stuff); |
| 43 | + if ((XkbPaddedSize(len) / 4) != stuff->length) |
| 44 | + status = BadLength; |
| 45 | + } |
| 46 | + |
| 47 | + if (status != Success) { |
| 48 | + free(names.keycodes); |
| 49 | + free(names.types); |
| 50 | + free(names.compat); |
| 51 | + free(names.symbols); |
| 52 | + free(names.geometry); |
| 53 | return status; |
| 54 | - len = str - ((unsigned char *) stuff); |
| 55 | - if ((XkbPaddedSize(len) / 4) != stuff->length) |
| 56 | - return BadLength; |
| 57 | + } |
| 58 | |
| 59 | CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); |
| 60 | CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); |
| 61 | -- |
| 62 | 2.34.1 |
| 63 | |