From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 16:37:21 +0200
Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`_XimRead()` is being called with `reply` as target buffer instead of
using `preply`, accessing uninitialized memory a few lines later.

This error has been found by a static analysis tool. This is the report:

    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
      Calling "malloc" which returns uninitialized memory.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
      Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
      which points to uninitialized data.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
      Using uninitialized value "*((CARD8 *)preply)".
    #  571|       }
    #  572|       buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
    #  573|->     if (*((CARD8 *)preply) == XIM_ERROR) {
    #  574|           _XimProcError(im, 0, (XPointer)&buf_s[3]);
    #  575|           if(reply != preply)

Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
 modules/im/ximcp/imDefLkup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
index 2e53ab23..8ccaee26 100644
--- a/modules/im/ximcp/imDefLkup.c
+++ b/modules/im/ximcp/imDefLkup.c
@@ -635,7 +635,7 @@ _XimTriggerNotify(
 	} else {
 	    buf_size = len;
 	    preply = Xmalloc(len);
-	    ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
+	    ret_code = _XimRead(im, &len, preply, buf_size,
 				_XimTriggerNotifyCheck, (XPointer)ic);
 	    if(ret_code != XIM_TRUE) {
 		Xfree(preply);
-- 
2.45.2