From 71fb99cb433d657bd9f4898a93a6ba4733c7093e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 16 May 2013 23:05:36 -0700
Subject: Free fs->properties in XF86BigfontQueryFont overflow error path

Fixes small memory leak introduced in commit 5669a22081

Reported-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Hint: Upstream commit 5669a22081 is "integer overflow in _XF86BigfontQueryFont() [CVE-2013-1981 2/13]"

Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/Font.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'nx-X11/lib/X11')

diff --git a/nx-X11/lib/X11/Font.c b/nx-X11/lib/X11/Font.c
index c0efb3f45..7943ba7a1 100644
--- a/nx-X11/lib/X11/Font.c
+++ b/nx-X11/lib/X11/Font.c
@@ -508,6 +508,7 @@ _XF86BigfontQueryFont (
        any real font needs, so the combined total doesn't overflow either */
     if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) ||
        reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) {
+       Xfree((char *) fs->properties);
        Xfree((char *) fs);
        _XEatDataWords(dpy, reply_left);
        return (XFontStruct *)NULL;
-- 
cgit v1.2.3