subject:"\[Spice\-devel\] \[PATCH 3\/5\] x11\: don't return freed memory from get

Re: [Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard

2011-07-18 Thread Alon Levy

On Fri, Jul 08, 2011 at 12:17:30PM +0200, Christophe Fergeau wrote:
 There is a double free in client/x11/platform.cpp.
 In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
 *data_ret (which is returned to the caller) has already been
 assigned data, so it will be pointing to freed memory when data is
 XFree'd'. Then in handle_selection_notify, get_selection_free is called on
 this pointer, which causes a double free.
 When the length of the read data = 0, set the returned value to NULL,
 this way subsequent free attempts will be a noop.
 Fixes RH bug #710461

ACK.

 ---
  client/x11/platform.cpp |8 ++--
  1 files changed, 6 insertions(+), 2 deletions(-)
 
 diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
 index 910d61e..fe98eae 100644
 --- a/client/x11/platform.cpp
 +++ b/client/x11/platform.cpp
 @@ -2575,8 +2575,12 @@ static int get_selection(XEvent event, Atom type, 
 Atom prop, int format,
  }
  len = clipboard_data_size;
  *data_ret = clipboard_data;
 -} else
 -*data_ret = data;
 +} else {
 +if (len  0)
 +*data_ret = data;
 +else
 +*data_ret = NULL;
 +}
  
  if (len  0)
  ret_val = len;
 -- 
 1.7.6
 
 ___
 Spice-devel mailing list
 Spice-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/spice-devel
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard

2011-07-08 Thread Christophe Fergeau

There is a double free in client/x11/platform.cpp.
In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
*data_ret (which is returned to the caller) has already been
assigned data, so it will be pointing to freed memory when data is
XFree'd'. Then in handle_selection_notify, get_selection_free is called on
this pointer, which causes a double free.
When the length of the read data = 0, set the returned value to NULL,
this way subsequent free attempts will be a noop.
Fixes RH bug #710461
---
 client/x11/platform.cpp |8 ++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
index 910d61e..fe98eae 100644
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@@ -2575,8 +2575,12 @@ static int get_selection(XEvent event, Atom type, Atom 
prop, int format,
 }
 len = clipboard_data_size;
 *data_ret = clipboard_data;
-} else
-*data_ret = data;
+} else {
+if (len  0)
+*data_ret = data;
+else
+*data_ret = NULL;
+}
 
 if (len  0)
 ret_val = len;
-- 
1.7.6

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard

[Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard

2 matches

Site Navigation

Mail list logo

Footer information