[Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard

Fri Jul 8 03:17:30 PDT 2011

There is a double free in client/x11/platform.cpp.
In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
*data_ret (which is returned to the caller) has already been
assigned "data", so it will be pointing to freed memory when "data" is
XFree'd'. Then in handle_selection_notify, get_selection_free is called on
this pointer, which causes a double free.
When the length of the read data = 0, set the returned value to NULL,
this way subsequent free attempts will be a noop.
Fixes RH bug #710461
---
 client/x11/platform.cpp |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
index 910d61e..fe98eae 100644
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format,
         }
         len = clipboard_data_size;
         *data_ret = clipboard_data;
-    } else
-        *data_ret = data;
+    } else {
+        if (len > 0)
+            *data_ret = data;
+        else
+            *data_ret = NULL;
+    }
 
     if (len > 0)
         ret_val = len;
-- 
1.7.6

