[PATCH xserver] os: Fix strtok/free crash in ComputeLocalClient

Tomasz Śniatowski kailoran at gmail.com
Wed Dec 6 11:16:17 UTC 2017


Don't reuse cmd for strtok output to ensure the proper pointer is
freed afterwards.

The code incorrectly assumed the pointer returned by strtok(cmd, ":")
would always point to cmd. However, strtok(str, sep) != str if str
begins with sep. This caused an invalid-free crash when running
a program under X with a name beginning with a colon.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123

Signed-off-by: Tomasz Śniatowski <kailoran at gmail.com>
---
 os/access.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/os/access.c b/os/access.c
index 8828e0834..97246160c 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1137,12 +1137,12 @@ ComputeLocalClient(ClientPtr client)
         /* Cut off any colon and whatever comes after it, see
          * https://lists.freedesktop.org/archives/xorg-devel/2015-December/048164.html
          */
-        cmd = strtok(cmd, ":");
+        char *tok = strtok(cmd, ":");
 
 #if !defined(WIN32) || defined(__CYGWIN__)
-        ret = strcmp(basename(cmd), "ssh") != 0;
+        ret = strcmp(basename(tok), "ssh") != 0;
 #else
-        ret = strcmp(cmd, "ssh") != 0;
+        ret = strcmp(tok, "ssh") != 0;
 #endif
 
         free(cmd);
-- 
2.15.1



More information about the xorg-devel mailing list