tags 514406 + patch thanks Hi,
I read some man pages, looked at the source code and came up with the attached patched. I noticed that options.c has a function (addExecToCommand()) that creates a copy of the locker command line if it doesn't contain any semicolons. This means I only ran into this bug, because my locker contains semicolons! I patched this function to just always unconditionally copy the string and to never prepend the locker with 'exec', because stuff like 'a & b', 'a || b' etc isn't handled. I doubt this will cause any problems, but feel free to come up with a different fix. With this patch applied, valgrind doesn't complain about wrong memory usages anymore. Uli P.S.: Thanks to Patrick Matthäi for helping me with this bug mail. CC'd security on his advice, blame him. ;) -- "Do you know that books smell like nutmeg or some spice from a foreign land?" -- Faber in Fahrenheit 451
diff -Nurp xautolock-2.1.orig/src/options.c xautolock-2.1/src/options.c --- xautolock-2.1.orig/src/options.c 2002-01-15 16:37:33.000000000 +0100 +++ xautolock-2.1/src/options.c 2009-02-07 14:01:47.192402633 +0100 @@ -250,6 +254,8 @@ addExecToCommand (const char** command) * actually consists of multiple ones, we need to look for `;' * characters first. We can only err on the safe side here... */ + /* FIXME: This would also need to handle other stuff like e.g. & */ +#if 0 if (!strchr (*command, ';')) { char* tmp; @@ -257,6 +263,14 @@ addExecToCommand (const char** command) "exec %s", *command); *command = tmp; } +#else + /* Create a copy of the string or else XrmDestroyDatabase would free() that + * string from underneath us. + */ + char* tmp = newArray (char, strlen (*command) + 1); + (void) strcpy (tmp, *command); + *command = tmp; +#endif } #endif /* !VMS */