From 290f94aea2b6cf0b265bce33cadcf2f2cbcacd53 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 11 Feb 2011 14:20:24 -0800
Subject: ximcp: Prevent memory leak & double free if multiple %L in string

In the highly unlikely event that TransFileName was passed a path
containing multiple %L entries, for each entry it would call
_XlcFileName, leaking the previous results, and then for each entry it
would copy from that pointer and free it, resulting in invalid pointers
& possible double frees for each use after the first one freed it.

Error: Use after free (CWE 416)
   Use after free of pointer 'lcCompose'
        at line 358 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.
Error: Use after free (CWE 416)
   Use after free of pointer 'lcCompose'
        at line 359 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.
Error: Double free (CWE 415)
   Double free of pointer 'lcCompose'
        at line 360 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.

[ This bug was found by the Parfait 0.3.6 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ac417cea1136a3617f5e40f4b106aaa3f48d6c2)
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/imLcPrs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c
index 4dbcbbed4..549fe523a 100644
--- a/nx-X11/lib/X11/imLcPrs.c
+++ b/nx-X11/lib/X11/imLcPrs.c
@@ -321,7 +321,8 @@ TransFileName(Xim im, char *name)
                      l += strlen(home);
    	         break;
    	      case 'L':
-                 lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
+                 if (lcCompose == NULL)
+                     lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
                  if (lcCompose)
                      l += strlen(lcCompose);
    	         break;
@@ -357,7 +358,6 @@ TransFileName(Xim im, char *name)
    	         if (lcCompose) {
                     strcpy(j, lcCompose);
                     j += strlen(lcCompose);
-                    Xfree(lcCompose);
                  }
    	         break;
    	      case 'S':
@@ -371,6 +371,7 @@ TransFileName(Xim im, char *name)
       }
    }
    *j = '\0';
+   Xfree(lcCompose);
    return ret;
 }
 
-- 
cgit v1.2.3