Fix CVE-2013-4396 (2013-10-08). The fix is included in upstream xserver 1.14.4 .

1 files changed, 5 insertions, 0 deletions

diff --git a/xorg-server/dix/dixfonts.c b/xorg-server/dix/dixfonts.c
index 22c236553..dd7700860 100644
--- a/xorg-server/dix/dixfonts.c
+++ b/xorg-server/dix/dixfonts.c
@@ -1459,6 +1459,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
             GC *pGC;
             unsigned char *data;
             ITclosurePtr new_closure;
+            ITclosurePtr old_closure;
 
             /* We're putting the client to sleep.  We need to
                save some state.  Similar problem to that handled
@@ -1470,12 +1471,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
                 err = BadAlloc;
                 goto bail;
             }
+            old_closure = c;
             *new_closure = *c;
             c = new_closure;
 
             data = malloc(c->nChars * itemSize);
             if (!data) {
                 free(c);
+                c = old_closure;
                 err = BadAlloc;
                 goto bail;
             }
@@ -1486,6 +1489,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
             if (!pGC) {
                 free(c->data);
                 free(c);
+                c = old_closure;
                 err = BadAlloc;
                 goto bail;
             }
@@ -1498,6 +1502,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
                 FreeScratchGC(pGC);
                 free(c->data);
                 free(c);
+                c = old_closure;
                 err = BadAlloc;
                 goto bail;
             }