summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2013-10-09 05:37:57 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2013-10-09 05:37:57 +0000
commit5bcc0de1b10c431694f028e22effbc9755c50c96 (patch)
treec4ff487943dbe39cd45f94fb0f42b6ac781a1e68
parent452c9686309d63ec2dc19593fb272ef184dc2046 (diff)
Fix from upstreams for CVE-2013-4396
Use after free in Xserver handling of ImageText requests
Diffstat
-rw-r--r--xserver/dix/dixfonts.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/xserver/dix/dixfonts.c b/xserver/dix/dixfonts.c
index feb765d1c..2e34d370f 100644
--- a/xserver/dix/dixfonts.c
+++ b/xserver/dix/dixfonts.c
@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
data = malloc(c->nChars * itemSize);
if (!data) {
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
if (!pGC) {
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
FreeScratchGC(pGC);
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-14 03:18:37 +0000