Bug 93186 - _XimProtoSetIMValues use after free()
Summary: _XimProtoSetIMValues use after free()
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Depends on:
Reported: 2015-11-30 22:47 UTC by Sami Farin
Modified: 2018-08-10 20:11 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Sami Farin 2015-11-30 22:47:27 UTC
this magical function fails if first for(;;) loop 
succeeds in "tmp = Xmalloc(buf_size + data_len))"
and then succeeds in "name = _XimEncodeIMATTRIBUTE".

Then magical lines
    buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
    buf_s[0] = im->private.proto.imid;
access free()d memory.  Assuming _XimEncodeIMATTRIBUTE sets ret_len to != 0.
Comment 1 GitLab Migration User 2018-08-10 20:11:13 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libx11/issues/49.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.