diff options
author | Michael Jennings <mej@kainx.org> | 2011-05-15 21:19:59 +0000 |
---|---|---|
committer | Michael Jennings <mej@kainx.org> | 2011-05-15 21:19:59 +0000 |
commit | e096c4df0f63fbef9833a8ede248d30ea36650e8 (patch) | |
tree | 31ed98725fa8c8062e105dc338872c04f4ac2e61 | |
parent | 369e95c1df681537492ac4132fcc439a66dd7884 (diff) | |
download | eterm-e096c4df0f63fbef9833a8ede248d30ea36650e8.tar.gz |
Tue Mar 15 23:03:57 2011 mej
Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the
XIM code. This only affects versions where XIM support is compiled in
(which it is by default). There are no known exploits for this bug,
but it is theoretically exploitable. Thanks to Jonathan Brossard and
the team at Toucan System for responsibly disclosing this
vulnerability and to CERT for assisting with coordination and
disclosure.
----------------------------------------------------------------------
SVN revision: 59413
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/command.c | 8 |
2 files changed, 17 insertions, 1 deletions
@@ -5653,3 +5653,13 @@ claims to be a string, which is probably more correct. This should also eliminate server round-trips when clients ask for UTF-8, get a string, then ask for a string (Opera). ---------------------------------------------------------------------- +Tue Mar 15 23:03:57 2011 mej + +Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the +XIM code. This only affects versions where XIM support is compiled in +(which it is by default). There are no known exploits for this bug, +but it is theoretically exploitable. Thanks to Jonathan Brossard and +the team at Toucan System for responsibly disclosing this +vulnerability and to CERT for assisting with coordination and +disclosure. +---------------------------------------------------------------------- diff --git a/src/command.c b/src/command.c index 0f7fdd3..462c3f2 100644 --- a/src/command.c +++ b/src/command.c @@ -1274,6 +1274,7 @@ clean_exit(void) } if (xim_input_method) { XCloseIM(xim_input_method); + xim_input_method = NULL; } # endif XCloseDisplay(Xdisplay); @@ -2088,6 +2089,7 @@ xim_real_init(void) if ((XGetIMValues(xim_input_method, XNQueryInputStyle, &xim_styles, NULL)) || (!xim_styles)) { libast_print_error("input method doesn't support any style\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } strncpy(tmp, (rs_preedit_type ? rs_preedit_type : "OverTheSpot,OffTheSpot,Root"), sizeof(tmp) - 1); @@ -2099,7 +2101,8 @@ xim_real_init(void) break; } for (end = s; (*end && (*end != ',')); end++); - for (next_s = end--; ((end >= s) && isspace(*end)); end--); + next_s = ((*end) ? (end) : (end + 1)); + for (end--; ((end >= s) && isspace(*end)); end--); *(end + 1) = '\0'; if (!strcmp(s, "OverTheSpot")) { @@ -2122,6 +2125,7 @@ xim_real_init(void) if (found == 0) { libast_print_error("input method doesn't support my preedit type\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if ((xim_input_style != (XIMPreeditNothing | XIMStatusNothing)) @@ -2129,6 +2133,7 @@ xim_real_init(void) && (xim_input_style != (XIMPreeditPosition | XIMStatusNothing))) { libast_print_error("This program does not support the preedit type\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if (xim_input_style & XIMPreeditPosition) { @@ -2160,6 +2165,7 @@ xim_real_init(void) if (!xim_input_context) { libast_print_error("Failed to create input context\n"); XCloseIM(xim_input_method); + xim_input_method = NULL; return -1; } if (xim_input_style & XIMPreeditArea) |