[Spice-devel] [PATCH 3/5] x11: don't return freed memory from get_clipboard
Alon Levy
alevy at redhat.com
Mon Jul 18 07:56:31 PDT 2011
On Fri, Jul 08, 2011 at 12:17:30PM +0200, Christophe Fergeau wrote:
> There is a double free in client/x11/platform.cpp.
> In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
> *data_ret (which is returned to the caller) has already been
> assigned "data", so it will be pointing to freed memory when "data" is
> XFree'd'. Then in handle_selection_notify, get_selection_free is called on
> this pointer, which causes a double free.
> When the length of the read data = 0, set the returned value to NULL,
> this way subsequent free attempts will be a noop.
> Fixes RH bug #710461
ACK.
> ---
> client/x11/platform.cpp | 8 ++++++--
> 1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
> index 910d61e..fe98eae 100644
> --- a/client/x11/platform.cpp
> +++ b/client/x11/platform.cpp
> @@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format,
> }
> len = clipboard_data_size;
> *data_ret = clipboard_data;
> - } else
> - *data_ret = data;
> + } else {
> + if (len > 0)
> + *data_ret = data;
> + else
> + *data_ret = NULL;
> + }
>
> if (len > 0)
> ret_val = len;
> --
> 1.7.6
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
More information about the Spice-devel
mailing list