From FScreen.c:FScreenParseGeometryWithScreen():
943 copy = fxstrdup(parsestring);
944 copy = strsep(&parsestring, "@");
945
946 *screen_return = fxstrdup(parsestring);
947 geom_str = strsep(©, "@");
948 copy = geom_str;
I can't fix this because I don't understand what the code does.
Line 943 allocates some memory and stores the pointer in "copy. OK
Line 944 throws away the just allocated "copy" LEAK A
It tokenizes the "parsestring" passed in by the caller,
thus destroying its value. BUG
The code seems to assume that after "copy = strsep()" the
copy pointer would point to the _next_ token? But it
will be identical to "parsestring". BUG?
Line 946 Returns a copy of the token = the geometry string without
the screen portion through *screen_return. There are two
bugs here:
1) The callers expect the token with the screen string,
not the token with the geometry string. BUG
2) The callers don't know that they have to free() the
returned pointer. LEAK B
Line 947 tokenizes the already tokenized token again, which BUG
is a no-op.
Line 948 overwrites "copy" with its own value => no-op. BUG
--
Summary:
1) LEAK A is inside the function and can be fixed there.
2) LEAK B is in the callers. None of the callers I checked is aware
that *screen_return has to be free()'d.
3) *screen_return contains the geometry portion of the string, but
callers expect it to contain the screen portion.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
