1From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001 2From: "Thomas E. Dickey" <dickey@invisible-island.net> 3Date: Tue, 4 Oct 2022 18:26:17 -0400 4Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback 5 6Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef] 7CVE: CVE-2022-3554 8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9 10fix a memory leak in XRegisterIMInstantiateCallback 11 12Analysis: 13 14 _XimRegisterIMInstantiateCallback() opens an XIM and closes it using 15 the internal function pointers, but the internal close function does 16 not free the pointer to the XIM (this would be done in XCloseIM()). 17 18Report/patch: 19 20 Date: Mon, 03 Oct 2022 18:47:32 +0800 21 From: Po Lu <luangruo@yahoo.com> 22 To: xorg-devel@lists.x.org 23 Subject: Re: Yet another leak in Xlib 24 25 For reference, here's how I'm calling XRegisterIMInstantiateCallback: 26 27 XSetLocaleModifiers (""); 28 XRegisterIMInstantiateCallback (compositor.display, 29 XrmGetDatabase (compositor.display), 30 (char *) compositor.resource_name, 31 (char *) compositor.app_name, 32 IMInstantiateCallback, NULL); 33 and XMODIFIERS is: 34 35 @im=ibus 36 37Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net> 38--- 39 modules/im/ximcp/imInsClbk.c | 3 +++ 40 1 file changed, 3 insertions(+) 41 42diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c 43index 95b379c..c10e347 100644 44--- a/modules/im/ximcp/imInsClbk.c 45+++ b/modules/im/ximcp/imInsClbk.c 46@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback( 47 if( xim ) { 48 lock = True; 49 xim->methods->close( (XIM)xim ); 50+ /* XIMs must be freed manually after being opened; close just 51+ does the protocol to deinitialize the IM. */ 52+ XFree( xim ); 53 lock = False; 54 icb->call = True; 55 callback( display, client_data, NULL ); 56-- 572.25.1 58 59