[PATCH:libXaw 2/2] Only call XawStackFree if XawStackAlloc was used for allocation

Alan Coopersmith alan.coopersmith at oracle.com
Sat May 26 15:17:49 PDT 2012 

In FormParagraph() in TextAction.c, the #if OLDXAW case always uses
fixed length buffers, while the !OLDXAW case uses XawStackAlloc &
XawStackFree to switch to dynamic allocations when the buffers aren't
large enough.

A couple instances of XawStackFree slipped into the wrong side of
the #if checks though, so move them back where they belong.   Also
reset pos afterwards, in the case we continue and may use it again,
to avoid the chance of a double free.

Found by the Parfait 0.5.0.1 bug checking tool:

Error: Free memory not allocated dynamically by alloc (CWE 590)
   Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
        at line 3946 of TextAction.c in function 'FormParagraph'.
          'buf' allocated at line 0 as auto variable.
        at line 4000 of TextAction.c in function 'FormParagraph'.
          'buf' allocated at line 0 as auto variable.
Error: Use after free (CWE 416)
   Use after free of pointer '&buf'
        at line 3995 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.
Error: Use after free
   Double free (CWE 415): Double free of pointer '&buf' in call to XtFree
        at line 4000 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.
   Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree
        at line 4000 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 src/TextAction.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/TextAction.c b/src/TextAction.c
index fe7e573..7b87ce4 100644
--- a/src/TextAction.c
+++ b/src/TextAction.c
@@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
     }
 
     if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) {
+	XawStackFree(pos, buf);
+	pos = buf;
 #else
     from =  SrcScan(ctx->text.source, ctx->text.insertPos,
 		    XawstParagraph, XawsdLeft, 1, False);
@@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 
     if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) {
 #endif
-	XawStackFree(pos, buf);
 	XBell(XtDisplay(w), 0);
 #ifndef OLDXAW
 	if (undo) {
@@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 			       XawsdLeft, 1, False), False);
 	tw->text.clear_to_eol = True;
     }
+    XawStackFree(pos, buf);
 #else
     ctx->text.old_insert = ctx->text.insertPos = *pos;
     _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top,
 			   XawstEOL, XawsdLeft, 1, False), False);
     ctx->text.clear_to_eol = True;
 #endif
-    XawStackFree(pos, buf);
     ctx->text.showposition = True;
 
     EndAction(ctx);
-- 
1.7.9.2

More information about the xorg-devel mailing list