From c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 12 Jan 2023 15:05:39 +1000
Subject: [PATCH] Prevent a double free in the error code path

xpmParseDataAndCreate() calls XDestroyImage() in the error path.
Reproducible with sxpm "zero-width.xpm", that file is in the test/
directory.

The same approach is needed in the bytes_per_line == 0 condition though
here it just plugs a memory leak.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Origin:
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d2135dbebe9a367c5f0
---
 lib/Xm/Xpmcreate.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/Xm/Xpmcreate.c b/lib/Xm/Xpmcreate.c
index d0f3c3b..01c5d1a 100644
--- a/lib/Xm/Xpmcreate.c
+++ b/lib/Xm/Xpmcreate.c
@@ -954,10 +954,14 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
 #ifndef FOR_MSW
     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
   	XDestroyImage(*image_return);
+  	*image_return = NULL;
         return (XpmNoMemory);
     }
-    if((*image_return)->bytes_per_line == 0 ||  height == 0)
+    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
+        XDestroyImage(*image_return);
+        *image_return = NULL;
         return XpmNoMemory;
+    }
     /* now that bytes_per_line must have been set properly alloc data */
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
-- 
2.46.0