_XimProtoSetIMValues use after free()
Submitted by Sami Farin
Assigned to Xorg Project Team
Description
this magical function fails if first for(;;) loop succeeds in "tmp = Xmalloc(buf_size + data_len))" and then succeeds in "name = _XimEncodeIMATTRIBUTE".
Then magical lines buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; buf_s[0] = im->private.proto.imid; access free()d memory. Assuming _XimEncodeIMATTRIBUTE sets ret_len to != 0.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information