From 730876f8fafba2aa5fdb411fe443b41d9bd67d2c Mon Sep 17 00:00:00 2001
From: Ulrich Sibiller <uli42@gmx.de>
Date: Fri, 31 May 2019 00:52:59 +0200
Subject: NXrender.c, render.c: fix memory handling bugs

---
 nx-X11/programs/Xserver/hw/nxagent/NXrender.c | 23 +++++++++++++++++++----
 nx-X11/programs/Xserver/render/render.c       | 12 ++++++++----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
index 105d7048b..0918ecfaf 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
@@ -1001,7 +1001,8 @@ ProcRenderCompositeGlyphs (ClientPtr client)
 	listsBase = (GlyphListPtr) malloc (nlist * sizeof (GlyphListRec));
 	if (!listsBase)
 	{
-	    free(glyphsBase);
+	    if (glyphsBase != glyphsLocal)
+		free(glyphsBase);
 	    return BadAlloc;
 	}
     }
@@ -1009,9 +1010,11 @@ ProcRenderCompositeGlyphs (ClientPtr client)
     elementsBase = malloc(nlist * sizeof(XGlyphElt8));
     if (!elementsBase)
     {
-        free(glyphsBase);
-        free(listsBase);
-        return BadAlloc;
+	if (glyphsBase != glyphsLocal)
+	    free(glyphsBase);
+	if (listsBase != listsLocal)
+	    free(listsBase);
+	return BadAlloc;
     }
 
     buffer = (CARD8 *) (stuff + 1);
@@ -1044,6 +1047,9 @@ ProcRenderCompositeGlyphs (ClientPtr client)
 			free (glyphsBase);
 		    if (listsBase != listsLocal)
 			free (listsBase);
+#ifdef NXAGENT_SERVER
+		    free(elementsBase);
+#endif
 		    return RenderErrBase + BadGlyphSet;
 		}
 	    }
@@ -1101,7 +1107,16 @@ ProcRenderCompositeGlyphs (ClientPtr client)
 	}
     }
     if (buffer > end)
+    {
+	if (glyphsBase != glyphsLocal)
+	    free(glyphsBase);
+	if (listsBase != listsLocal)
+	    free(listsBase);
+#ifdef NXAGENT_SERVER
+	free(elementsBase);
+#endif
 	return BadLength;
+    }
 
     /*
      * We need to know the glyphs extents to synchronize
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index e4d8a3f76..f0bc6a1c9 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -1347,9 +1347,8 @@ ProcRenderCompositeGlyphs (ClientPtr client)
 	listsBase = (GlyphListPtr) malloc (nlist * sizeof (GlyphListRec));
 	if (!listsBase)
 	{
-	    free(glyphsBase);
-	    free(listsBase);
-
+	    if (glyphsBase != glyphsLocal)
+	        free(glyphsBase);
 	    return BadAlloc;
 	}
     }
@@ -1417,8 +1416,13 @@ ProcRenderCompositeGlyphs (ClientPtr client)
 	}
     }
     if (buffer > end)
+    {
+	if (glyphsBase != glyphsLocal)
+	    free(glyphsBase);
+	if (listsBase != listsLocal)
+	    free(listsBase);
 	return BadLength;
-
+    }
     CompositeGlyphs (stuff->op,
 		     pSrc,
 		     pDst,
-- 
cgit v1.2.3