[PATCH libX11] Fix wrong Xfree in XListFonts failure path
Alan Coopersmith
alan.coopersmith at oracle.com
Sat Jan 7 17:55:34 UTC 2017
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Looks like this bug was introduced just after the 1.6.4 release and hasn't
made it out into a libX11 release yet - thanks for catching it in time.
-alan-
On 01/ 7/17 07:20 AM, Julien Cristau wrote:
> 'ch' gets moved inside the allocated buffer as we're looping through
> fonts, so keep a reference to the start of the buffer so we can pass
> that to Xfree in the failure case.
>
> Fixes: commit 20a3f99eba5001925b8b313da3accb7900eb1927 "Plug a memory leak"
>
> Signed-off-by: Julien Cristau <jcristau at debian.org>
> ---
> src/FontNames.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/FontNames.c b/src/FontNames.c
> index 3e23b5f4..9ffdfd29 100644
> --- a/src/FontNames.c
> +++ b/src/FontNames.c
> @@ -43,6 +43,7 @@ int *actualCount) /* RETURN */
> register int length;
> char **flist = NULL;
> char *ch = NULL;
> + char *chstart;
> char *chend;
> int count = 0;
> xListFontsReply rep;
> @@ -86,6 +87,7 @@ int *actualCount) /* RETURN */
> /*
> * unpack into null terminated strings.
> */
> + chstart = ch;
> chend = ch + (rlen + 1);
> length = *(unsigned char *)ch;
> *ch = 1; /* make sure it is non-zero for XFreeFontNames */
> @@ -98,14 +100,14 @@ int *actualCount) /* RETURN */
> *ch = '\0'; /* and replace with null-termination */
> count++;
> } else {
> - Xfree(ch);
> + Xfree(chstart);
> Xfree(flist);
> flist = NULL;
> count = 0;
> break;
> }
> } else {
> - Xfree(ch);
> + Xfree(chstart);
> Xfree(flist);
> flist = NULL;
> count = 0;
>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list