configure.ac | 2 +- src/Text.c | 2 +- src/TextAction.c | 9 +++++---- 3 files changed, 7 insertions(+), 6 deletions(-)
New commits: commit ffaad7ee2ef6e06b4585567df04f6b64356fb6fe Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri Jun 1 20:31:30 2012 -0700 libXaw 1.0.11 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index 2423263..3ed625e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXaw], [1.0.10], +AC_INIT([libXaw], [1.0.11], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXaw]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 52081b462ff7d1844d014bf9be887197caa88160 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat May 26 15:07:07 2012 -0700 Only call XawStackFree if XawStackAlloc was used for allocation In FormParagraph() in TextAction.c, the #if OLDXAW case always uses fixed length buffers, while the !OLDXAW case uses XawStackAlloc & XawStackFree to switch to dynamic allocations when the buffers aren't large enough. A couple instances of XawStackFree slipped into the wrong side of the #if checks though, so move them back where they belong. Also reset pos afterwards, in the case we continue and may use it again, to avoid the chance of a double free. Found by the Parfait 0.5.0.1 bug checking tool: Error: Free memory not allocated dynamically by alloc (CWE 590) Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory at line 3946 of TextAction.c in function 'FormParagraph'. 'buf' allocated at line 0 as auto variable. at line 4000 of TextAction.c in function 'FormParagraph'. 'buf' allocated at line 0 as auto variable. Error: Use after free (CWE 416) Use after free of pointer '&buf' at line 3995 of TextAction.c in function 'FormParagraph'. Previously freed at line 3946 with XtFree. Error: Use after free Double free (CWE 415): Double free of pointer '&buf' in call to XtFree at line 4000 of TextAction.c in function 'FormParagraph'. Previously freed at line 3946 with XtFree. Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree at line 4000 of TextAction.c in function 'FormParagraph'. Previously freed at line 3946 with XtFree. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Acked-by: pcpa <paulo.cesar.pereira.de.andr...@gmail.com> diff --git a/src/TextAction.c b/src/TextAction.c index fe7e573..7b87ce4 100644 --- a/src/TextAction.c +++ b/src/TextAction.c @@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) } if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) { + XawStackFree(pos, buf); + pos = buf; #else from = SrcScan(ctx->text.source, ctx->text.insertPos, XawstParagraph, XawsdLeft, 1, False); @@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) { #endif - XawStackFree(pos, buf); XBell(XtDisplay(w), 0); #ifndef OLDXAW if (undo) { @@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) XawsdLeft, 1, False), False); tw->text.clear_to_eol = True; } + XawStackFree(pos, buf); #else ctx->text.old_insert = ctx->text.insertPos = *pos; _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top, XawstEOL, XawsdLeft, 1, False), False); ctx->text.clear_to_eol = True; #endif - XawStackFree(pos, buf); ctx->text.showposition = True; EndAction(ctx); commit ca35cff72a3100c9367b7e7f4811117c8733b8be Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat May 26 14:44:26 2012 -0700 Correct order of arguments to XawStackFree() XawStackAlloc() & XawStackFree() are macros to automate the process of using a fixed size stack buffer for strings smaller than the buffer size, and allocating/freeing memory for larger strings. XawStackFree is defined in src/Private.h as taking (pointer, stk_buffer) and freeing pointer if it's not pointing to the stack buffer. Most of the calls of this macro get the ordering right, but a couple got it reversed, passing a stack buffer to free() instead of the allocated pointer. Found by the Parfait 0.5.0.1 bug checking tool: Error: Free memory not allocated dynamically by alloc (CWE 590) Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory at line 2281 of TextAction.c in function 'DoFormatText'. 'buf' allocated at line 0 as auto variable. at line 2296 of TextAction.c in function 'DoFormatText'. 'buf' allocated at line 0 as auto variable. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Acked-by: pcpa <paulo.cesar.pereira.de.andr...@gmail.com> diff --git a/src/TextAction.c b/src/TextAction.c index 6705316..fe7e573 100644 --- a/src/TextAction.c +++ b/src/TextAction.c @@ -2278,7 +2278,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level, text.length = bytes; bytes -= text.length; if (_XawTextReplace(ctx, tmp, tmp, &text)) { - XawStackFree(buf, text.ptr); + XawStackFree(text.ptr, buf); return (XawEditError); } if (num_pos) { @@ -2293,7 +2293,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level, } position += count; right += count; - XawStackFree(buf, text.ptr); + XawStackFree(text.ptr, buf); } break; } commit 11c3a104141e1a4946ad949dfb5514df0b66a031 Author: pcpa <paulo.cesar.pereira.de.andr...@gmail.com> Date: Tue May 22 20:42:32 2012 -0300 Correct undefined behavior access to out of scope pointer contents. This problem is triggered in gcc 4.7 DCE (dead code elimination). In the Xaw code, the local constant "String" is not guaranteed to have global scope. The problem was found when debugging the reason xedit built with gcc 4.7 would be very unstable, and that happens regardless of using a libXaw built with gcc 4.6. Signed-off-by: pcpa <paulo.cesar.pereira.de.andr...@gmail.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Text.c b/src/Text.c index 72387e9..a1ae74a 100644 --- a/src/Text.c +++ b/src/Text.c @@ -3146,7 +3146,7 @@ _XawTextSetSelection(TextWidget ctx, XawTextPosition l, XawTextPosition r, if (nelems == 1 && !strcmp (list[0], "none")) return; if (nelems == 0) { - String defaultSel = "PRIMARY"; + static String defaultSel = "PRIMARY"; list = &defaultSel; nelems = 1; } -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1uoho1-0005ot...@vasks.debian.org