diff options
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/command.c | 8 |
2 files changed, 17 insertions, 1 deletions
@@ -5653,3 +5653,13 @@ claims to be a string, which is probably more correct. This should also eliminate server round-trips when clients ask for UTF-8, get a string, then ask for a string (Opera). ---------------------------------------------------------------------- +Tue Mar 15 23:03:57 2011 mej + +Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the +XIM code. This only affects versions where XIM support is compiled in +(which it is by default). There are no known exploits for this bug, +but it is theoretically exploitable. Thanks to Jonathan Brossard and +the team at Toucan System for responsibly disclosing this +vulnerability and to CERT for assisting with coordination and +disclosure. +---------------------------------------------------------------------- diff --git a/src/command.c b/src/command.c index 0f7fdd3..462c3f2 100644 --- a/src/command.c +++ b/src/command.c @@ -1274,6 +1274,7 @@ clean_exit(void) } if (xim_input_method) { XCloseIM(xim_input_method); + xim_input_method = NULL; } # endif XCloseDisplay(Xdisplay); @@ -2088,6 +2089,7 @@ xim_real_init(void) if ((XGetIMValues(xim_input_method, XNQueryInputStyle, &xim_styles, NULL)) || (!xim_styles)) { libast_print_error("input method doesn't support any style\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } strncpy(tmp, (rs_preedit_type ? rs_preedit_type : "OverTheSpot,OffTheSpot,Root"), sizeof(tmp) - 1); @@ -2099,7 +2101,8 @@ xim_real_init(void) break; } for (end = s; (*end && (*end != ',')); end++); - for (next_s = end--; ((end >= s) && isspace(*end)); end--); + next_s = ((*end) ? (end) : (end + 1)); + for (end--; ((end >= s) && isspace(*end)); end--); *(end + 1) = '\0'; if (!strcmp(s, "OverTheSpot")) { @@ -2122,6 +2125,7 @@ xim_real_init(void) if (found == 0) { libast_print_error("input method doesn't support my preedit type\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if ((xim_input_style != (XIMPreeditNothing | XIMStatusNothing)) @@ -2129,6 +2133,7 @@ xim_real_init(void) && (xim_input_style != (XIMPreeditPosition | XIMStatusNothing))) { libast_print_error("This program does not support the preedit type\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if (xim_input_style & XIMPreeditPosition) { @@ -2160,6 +2165,7 @@ xim_real_init(void) if (!xim_input_context) { libast_print_error("Failed to create input context\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if (xim_input_style & XIMPreeditArea) |