Tue Mar 15 23:03:57 2011 mej

Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the
XIM code.  This only affects versions where XIM support is compiled in
(which it is by default).  There are no known exploits for this bug,
but it is theoretically exploitable.  Thanks to Jonathan Brossard and
the team at Toucan System for responsibly disclosing this
vulnerability and to CERT for assisting with coordination and
disclosure.
----------------------------------------------------------------------


SVN revision: 59413

2 files changed, 17 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 5fce52a..0f39088 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5653,3 +5653,13 @@ claims to be a string, which is probably more correct.  This should
 also eliminate server round-trips when clients ask for UTF-8, get a
 string, then ask for a string (Opera).
 ----------------------------------------------------------------------
+Tue Mar 15 23:03:57 2011                                           mej
+
+Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the
+XIM code.  This only affects versions where XIM support is compiled in
+(which it is by default).  There are no known exploits for this bug,
+but it is theoretically exploitable.  Thanks to Jonathan Brossard and
+the team at Toucan System for responsibly disclosing this
+vulnerability and to CERT for assisting with coordination and
+disclosure.
+----------------------------------------------------------------------
diff --git a/src/command.c b/src/command.c
index 0f7fdd3..462c3f2 100644
--- a/src/command.c
+++ b/src/command.c
@@ -1274,6 +1274,7 @@ clean_exit(void)
         }
         if (xim_input_method) {
             XCloseIM(xim_input_method);
+            xim_input_method = NULL;
         }
 # endif
         XCloseDisplay(Xdisplay);
@@ -2088,6 +2089,7 @@ xim_real_init(void)
     if ((XGetIMValues(xim_input_method, XNQueryInputStyle, &xim_styles, NULL)) || (!xim_styles)) {
         libast_print_error("input method doesn't support any style\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     strncpy(tmp, (rs_preedit_type ? rs_preedit_type : "OverTheSpot,OffTheSpot,Root"), sizeof(tmp) - 1);
@@ -2099,7 +2101,8 @@ xim_real_init(void)
             break;
         }
         for (end = s; (*end && (*end != ',')); end++);
-        for (next_s = end--; ((end >= s) && isspace(*end)); end--);
+        next_s = ((*end) ? (end) : (end + 1));
+        for (end--; ((end >= s) && isspace(*end)); end--);
         *(end + 1) = '\0';
 
         if (!strcmp(s, "OverTheSpot")) {
@@ -2122,6 +2125,7 @@ xim_real_init(void)
     if (found == 0) {
         libast_print_error("input method doesn't support my preedit type\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if ((xim_input_style != (XIMPreeditNothing | XIMStatusNothing))
@@ -2129,6 +2133,7 @@ xim_real_init(void)
         && (xim_input_style != (XIMPreeditPosition | XIMStatusNothing))) {
         libast_print_error("This program does not support the preedit type\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if (xim_input_style & XIMPreeditPosition) {
@@ -2160,6 +2165,7 @@ xim_real_init(void)
     if (!xim_input_context) {
         libast_print_error("Failed to create input context\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if (xim_input_style & XIMPreeditArea)