xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFrom 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: "Thomas E. Dickey" <dickey@invisible-island.net>
3*4882a593SmuzhiyunDate: Tue, 4 Oct 2022 18:26:17 -0400
4*4882a593SmuzhiyunSubject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunUpstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
7*4882a593SmuzhiyunCVE: CVE-2022-3554
8*4882a593SmuzhiyunSigned-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9*4882a593Smuzhiyun
10*4882a593Smuzhiyunfix a memory leak in XRegisterIMInstantiateCallback
11*4882a593Smuzhiyun
12*4882a593SmuzhiyunAnalysis:
13*4882a593Smuzhiyun
14*4882a593Smuzhiyun    _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
15*4882a593Smuzhiyun    the internal function pointers, but the internal close function does
16*4882a593Smuzhiyun    not free the pointer to the XIM (this would be done in XCloseIM()).
17*4882a593Smuzhiyun
18*4882a593SmuzhiyunReport/patch:
19*4882a593Smuzhiyun
20*4882a593Smuzhiyun    Date: Mon, 03 Oct 2022 18:47:32 +0800
21*4882a593Smuzhiyun    From: Po Lu <luangruo@yahoo.com>
22*4882a593Smuzhiyun    To: xorg-devel@lists.x.org
23*4882a593Smuzhiyun    Subject: Re: Yet another leak in Xlib
24*4882a593Smuzhiyun
25*4882a593Smuzhiyun    For reference, here's how I'm calling XRegisterIMInstantiateCallback:
26*4882a593Smuzhiyun
27*4882a593Smuzhiyun    XSetLocaleModifiers ("");
28*4882a593Smuzhiyun    XRegisterIMInstantiateCallback (compositor.display,
29*4882a593Smuzhiyun                                    XrmGetDatabase (compositor.display),
30*4882a593Smuzhiyun                                    (char *) compositor.resource_name,
31*4882a593Smuzhiyun                                    (char *) compositor.app_name,
32*4882a593Smuzhiyun                                    IMInstantiateCallback, NULL);
33*4882a593Smuzhiyun    and XMODIFIERS is:
34*4882a593Smuzhiyun
35*4882a593Smuzhiyun        @im=ibus
36*4882a593Smuzhiyun
37*4882a593SmuzhiyunSigned-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
38*4882a593Smuzhiyun---
39*4882a593Smuzhiyun modules/im/ximcp/imInsClbk.c | 3 +++
40*4882a593Smuzhiyun 1 file changed, 3 insertions(+)
41*4882a593Smuzhiyun
42*4882a593Smuzhiyundiff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
43*4882a593Smuzhiyunindex 95b379c..c10e347 100644
44*4882a593Smuzhiyun--- a/modules/im/ximcp/imInsClbk.c
45*4882a593Smuzhiyun+++ b/modules/im/ximcp/imInsClbk.c
46*4882a593Smuzhiyun@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback(
47*4882a593Smuzhiyun     if( xim ) {
48*4882a593Smuzhiyun 	lock = True;
49*4882a593Smuzhiyun 	xim->methods->close( (XIM)xim );
50*4882a593Smuzhiyun+	/* XIMs must be freed manually after being opened; close just
51*4882a593Smuzhiyun+	   does the protocol to deinitialize the IM.  */
52*4882a593Smuzhiyun+	XFree( xim );
53*4882a593Smuzhiyun 	lock = False;
54*4882a593Smuzhiyun 	icb->call = True;
55*4882a593Smuzhiyun 	callback( display, client_data, NULL );
56*4882a593Smuzhiyun--
57*4882a593Smuzhiyun2.25.1
58*4882a593Smuzhiyun
59