xorg-x11-server/CVE-2022-3551.patch

From d7ac1fb14657f278fcc32863aa99eb32a2069d58 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 24 Oct 2022 17:06:15 +0800
Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName

GetComponentByName returns an allocated string, so let's free that if we
fail somewhere.

Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
---
 xkb/xkb.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 4dccc62..123671a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5936,19 +5936,35 @@ ProcXkbGetKbdByName(ClientPtr client)
     xkb = dev->key->xkbInfo->desc;
     status = Success;
     str = (unsigned char *) &stuff[1];
-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
-        return BadMatch;
+    {
+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
+        if (keymap) {
+            free(keymap);
+            return BadMatch;
+        }
+    }
     names.keycodes = GetComponentSpec(&str, TRUE, &status);
     names.types = GetComponentSpec(&str, TRUE, &status);
     names.compat = GetComponentSpec(&str, TRUE, &status);
     names.symbols = GetComponentSpec(&str, TRUE, &status);
     names.geometry = GetComponentSpec(&str, TRUE, &status);
-    if (status != Success)
+    if (status == Success) {
+        len = str - ((unsigned char *) stuff);
+        if ((XkbPaddedSize(len) / 4) != stuff->length)
+            status = BadLength;
+    }
+
+    if (status != Success) {
+        free(names.keycodes);
+        free(names.types);
+        free(names.compat);
+        free(names.symbols);
+        free(names.geometry);
         return status;
     len = str - ((unsigned char *) stuff);
     if ((XkbPaddedSize(len) / 4) != stuff->length)
         return BadLength;
-
+    }
     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
 
-- 
2.33.0