xkb: reset the radio_groups pointer to NULL after freeing it

Unlike other elements of the keymap, this pointer was freed but not reset. On a subsequent XkbGetKbdByName request, the server may access already freed memory. CVE-2022-4283, ZDI-CAN-19530 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Acked-by: Olivier Fourdan <ofourdan@redhat.com>
2022-12-05 15:55:54 +10:00 · 2022-12-05 15:55:54 +10:00 · ccdd431cd8
parent 8f454b793e
commit ccdd431cd8
1 changed files with 1 additions and 0 deletions
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
        }
        else {
            free(dst->names->radio_groups);
+            dst->names->radio_groups = NULL;
        }
        dst->names->num_rg = src->names->num_rg;