Thanks for the heads-up. I only found one other place where a similar leak occurs -- and in the case of xm_api.c, I figure that XMesaDestroyVisual() is an "client-facing" call, so in the interest of maintaining layering I've just made the appropriate free() call.