[PATCH xts] XI/ChangePointerDevice: Fix double-free

Peter Hutterer peter.hutterer at who-t.net
Tue Jun 11 02:25:15 PDT 2013


On Mon, Jun 10, 2013 at 12:37:24PM -0400, Peter Harris wrote:
> XCloseDevice frees the device parameter, even if it references an
> invalid device. Therefore, the device parameter must have been malloc'd.
> 
> Signed-off-by: Peter Harris <pharris at opentext.com>
> ---
>  xts5/XI/ChangePointerDevice.m |    6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/xts5/XI/ChangePointerDevice.m b/xts5/XI/ChangePointerDevice.m
> index d203f6e..332a9d8 100644
> --- a/xts5/XI/ChangePointerDevice.m
> +++ b/xts5/XI/ChangePointerDevice.m
> @@ -372,7 +372,7 @@ unsigned char bmap[8];
>  XDeviceResolutionControl dctl;
>  XEventClass devicemotionnotifyclass;
>  XEvent ev;
> -XDevice bogus;
> +XDevice bogus, *copy;
>  
>  
>  	if (!Setup_Extension_DeviceInfo(ValMask) || NumValuators < 2)
> @@ -415,8 +415,10 @@ XDevice bogus;
>  	else
>  		FAIL;
>  
> +	copy = malloc(sizeof(bogus));
> +	memcpy(copy, &bogus, sizeof(bogus));
>  	device = &bogus;
> -	XCloseDevice(display, device);
> +	XCloseDevice(display, copy);
>  	XSync(display,0);
>  	if (geterr() == baddevice)
>  		{
> -- 
> 1.7.10.4

this just doesn't look right, it's a bit confusing.
bogus is only used for the deviceid and only a problem for XCloseDevice, so
you should be able to move the device = &bogus call down past
XCloseDevice(). that closes the already open device and then works on the
copy for the rest, which doesn't care about the stuff other than the device
id.

tbh, a better change would even be to change all the future calls to
directly use &bogus to signal that this is not a valid device anyway.

Cheers,
   Peter



More information about the xorg-devel mailing list