diff options
Diffstat (limited to 'debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch')
-rw-r--r-- | debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch | 51 |
1 files changed, 46 insertions, 5 deletions
diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch index 8cb1d0d7b..b7d63f6d4 100644 --- a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch +++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch @@ -21,12 +21,14 @@ X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. + +v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) +v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) + --- nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c -index 193f555..42fd647 100644 --- a/nx-X11/programs/Xserver/dix/dixfonts.c +++ b/nx-X11/programs/Xserver/dix/dixfonts.c @@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) @@ -69,6 +71,45 @@ index 193f555..42fd647 100644 err = BadAlloc; goto bail; } --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +@@ -1711,6 +1711,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1723,6 +1724,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1730,6 +1732,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1741,6 +1744,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1759,6 +1763,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } |