On Fri, Jul 08, 2011 at 12:17:30PM +0200, Christophe Fergeau wrote:
There is a double free in client/x11/platform.cpp.
In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
*data_ret (which is returned to the caller) has already been
assigned data, so it will be pointing to freed memory when data is
XFree'd'. Then in handle_selection_notify, get_selection_free is called on
this pointer, which causes a double free.
When the length of the read data = 0, set the returned value to NULL,
this way subsequent free attempts will be a noop.
Fixes RH bug #710461
ACK.
---
client/x11/platform.cpp |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
index 910d61e..fe98eae 100644
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@@ -2575,8 +2575,12 @@ static int get_selection(XEvent event, Atom type,
Atom prop, int format,
}
len = clipboard_data_size;
*data_ret = clipboard_data;
-} else
-*data_ret = data;
+} else {
+if (len 0)
+*data_ret = data;
+else
+*data_ret = NULL;
+}
if (len 0)
ret_val = len;
--
1.7.6
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel