2 files changed, 17 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 5fce52a..0f39088 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5653,3 +5653,13 @@ claims to be a string, which is probably more correct.  This should
 also eliminate server round-trips when clients ask for UTF-8, get a
 string, then ask for a string (Opera).
 ----------------------------------------------------------------------
+Tue Mar 15 23:03:57 2011                                           mej
+
+Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the
+XIM code.  This only affects versions where XIM support is compiled in
+(which it is by default).  There are no known exploits for this bug,
+but it is theoretically exploitable.  Thanks to Jonathan Brossard and
+the team at Toucan System for responsibly disclosing this
+vulnerability and to CERT for assisting with coordination and
+disclosure.
+----------------------------------------------------------------------
diff --git a/src/command.c b/src/command.c
index 0f7fdd3..462c3f2 100644
--- a/src/command.c
+++ b/src/command.c
@@ -1274,6 +1274,7 @@ clean_exit(void)
         }
         if (xim_input_method) {
             XCloseIM(xim_input_method);
+            xim_input_method = NULL;
         }
 # endif
         XCloseDisplay(Xdisplay);
@@ -2088,6 +2089,7 @@ xim_real_init(void)
     if ((XGetIMValues(xim_input_method, XNQueryInputStyle, &xim_styles, NULL)) || (!xim_styles)) {
         libast_print_error("input method doesn't support any style\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     strncpy(tmp, (rs_preedit_type ? rs_preedit_type : "OverTheSpot,OffTheSpot,Root"), sizeof(tmp) - 1);
@@ -2099,7 +2101,8 @@ xim_real_init(void)
             break;
         }
         for (end = s; (*end && (*end != ',')); end++);
-        for (next_s = end--; ((end >= s) && isspace(*end)); end--);
+        next_s = ((*end) ? (end) : (end + 1));
+        for (end--; ((end >= s) && isspace(*end)); end--);
         *(end + 1) = '\0';
 
         if (!strcmp(s, "OverTheSpot")) {
@@ -2122,6 +2125,7 @@ xim_real_init(void)
     if (found == 0) {
         libast_print_error("input method doesn't support my preedit type\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if ((xim_input_style != (XIMPreeditNothing | XIMStatusNothing))
@@ -2129,6 +2133,7 @@ xim_real_init(void)
         && (xim_input_style != (XIMPreeditPosition | XIMStatusNothing))) {
         libast_print_error("This program does not support the preedit type\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if (xim_input_style & XIMPreeditPosition) {
@@ -2160,6 +2165,7 @@ xim_real_init(void)
     if (!xim_input_context) {
         libast_print_error("Failed to create input context\n");
         XCloseIM(xim_input_method);
+        xim_input_method = NULL;
         return -1;
     }
     if (xim_input_style & XIMPreeditArea)