[PATCH:libX11] ximcp: Prevent memory leak & double free if %L appears twice in string

Alan Coopersmith alan.coopersmith at oracle.com
Fri Feb 11 14:35:37 PST 2011 

In the highly unlikely event that TransFileName was passed a path
containing multiple %L entries, for each entry it would call
_XlcFileName, leaking the previous results, and then for each entry it
would copy from that pointer and free it, resulting in invalid pointers
& possible double frees for each use after the first one freed it.

Error: Use after free (CWE 416)
   Use after free of pointer 'lcCompose'
        at line 358 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.
Error: Use after free (CWE 416)
   Use after free of pointer 'lcCompose'
        at line 359 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.
Error: Double free (CWE 415)
   Double free of pointer 'lcCompose'
        at line 360 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
          Previously freed at line 360 with free.

[ This bug was found by the Parfait 0.3.6 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 modules/im/ximcp/imLcPrs.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/im/ximcp/imLcPrs.c b/modules/im/ximcp/imLcPrs.c
index 75449ef..4e54385 100644
--- a/modules/im/ximcp/imLcPrs.c
+++ b/modules/im/ximcp/imLcPrs.c
@@ -321,7 +321,8 @@ TransFileName(Xim im, char *name)
                      l += strlen(home);
    	         break;
    	      case 'L':
-                 lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
+                 if (lcCompose == NULL)
+                     lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
                  if (lcCompose)
                      l += strlen(lcCompose);
    	         break;
@@ -357,7 +358,6 @@ TransFileName(Xim im, char *name)
    	         if (lcCompose) {
                     strcpy(j, lcCompose);
                     j += strlen(lcCompose);
-                    Xfree(lcCompose);
                  }
    	         break;
    	      case 'S':
@@ -371,6 +371,7 @@ TransFileName(Xim im, char *name)
       }
    }
    *j = '\0';
+   Xfree(lcCompose);
    return ret;
 }
 
-- 
1.7.3.2

More information about the xorg-devel mailing list