libX11: CVE-2022-3554 Fix memory leak

Upstream-Status: Backport from 1d11822601

(From OE-Core rev: 1d36df9c9ec0ea13c4e0c3794b0d97305e2c6ac1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Hitendra Prajapati
2022-11-02 18:57:06 +05:30
committed by Richard Purdie
parent 3903d753f9
commit 32c25a0202
2 changed files with 59 additions and 0 deletions

View File

@@ -0,0 +1,58 @@
From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Wed, 2 Nov 2022 17:04:15 +0530
Subject: [PATCH] CVE-2022-3554
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
CVE: CVE-2022-3554
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
fix a memory leak in XRegisterIMInstantiateCallback
Analysis:
_XimRegisterIMInstantiateCallback() opens an XIM and closes it using
the internal function pointers, but the internal close function does
not free the pointer to the XIM (this would be done in XCloseIM()).
Report/patch:
Date: Mon, 03 Oct 2022 18:47:32 +0800
From: Po Lu <luangruo@yahoo.com>
To: xorg-devel@lists.x.org
Subject: Re: Yet another leak in Xlib
For reference, here's how I'm calling XRegisterIMInstantiateCallback:
XSetLocaleModifiers ("");
XRegisterIMInstantiateCallback (compositor.display,
XrmGetDatabase (compositor.display),
(char *) compositor.resource_name,
(char *) compositor.app_name,
IMInstantiateCallback, NULL);
and XMODIFIERS is:
@im=ibus
Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
---
modules/im/ximcp/imInsClbk.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
index 961aaba..0a8a874 100644
--- a/modules/im/ximcp/imInsClbk.c
+++ b/modules/im/ximcp/imInsClbk.c
@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
if( xim ) {
lock = True;
xim->methods->close( (XIM)xim );
+ /* XIMs must be freed manually after being opened; close just
+ does the protocol to deinitialize the IM. */
+ XFree( xim );
lock = False;
icb->call = True;
callback( display, client_data, NULL );
--
2.25.1

View File

@@ -16,6 +16,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
file://CVE-2020-14344.patch \
file://CVE-2020-14363.patch \
file://CVE-2021-31535.patch \
file://CVE-2022-3554.patch \
"
SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"