[PATCH] Fix multiple free property data

[Peter Hutterer]

On Tue, Jul 21, 2009 at 05:52:50PM +0200, Pierre Willenbrock wrote:
> Hi list,
> 
> this fixes a problem where data of window properties is freed without
> the reference being replaced, leading to multiple frees and makes bad
> things happen when the memory is reused(crashes).
> 
> This happens very seldom, since most of the time there is no data
> attached to the property or it is replaced. It takes quite some time to
> trigger when editing in emacs using the gtk gui. To my knowledge, no
> other program had this problem.
> 
> Regards,
>   Pierre

> From beff1cbe069a2d0ae17293bc1c9881dca641c24f Mon Sep 17 00:00:00 2001
> From: Pierre Willenbrock <pierre at pirsoft.de>
> Date: Tue, 21 Jul 2009 17:21:28 +0200
> Subject: [PATCH] Check if new space was actually allocated before freeing.
> 
> There will be no new space allocated, if mode != PropModeReplace and
> len == 0, or if mode is not one of the handled modes.
> This fixes freeing data that is still in use, leading to double frees and
> other memory corruption.
> ---
>  dix/property.c |   13 +++++++++----
>  1 files changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/dix/property.c b/dix/property.c
> index 20c18d7..a007aa6 100644
> --- a/dix/property.c
> +++ b/dix/property.c
> @@ -350,10 +350,15 @@ dixChangeWindowProperty(ClientPtr pClient, WindowPtr pWin, Atom property,
>  	/* Allow security modules to check the new content */
>  	access_mode |= DixPostAccess;
>  	rc = XaceHookPropertyAccess(pClient, pWin, &pProp, access_mode);
> -	if (rc == Success)
> -	    xfree(savedProp.data);
> -	else {
> -	    xfree(pProp->data);
> +	if (rc == Success) 
> +	{
> +	    if (savedProp.data != pProp->data)
> +		xfree(savedProp.data);
> +	}
> +	else 
> +	{
> +	    if (savedProp.data != pProp->data)
> +		xfree(pProp->data);
>  	    *pProp = savedProp;
>  	    return rc;
>  	}
> -- 
> 1.6.3.3

Thanks, merged. Will be pushed in a tick.

Cheers,
  Peter