[PATCH 24/32] [libx11] Using freed pointer "prop_ret"

Erkki Seppälä erkki.seppala at vincit.fi
Wed Jan 26 23:54:07 PST 2011


From: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>

In the case were a first call to XGetWindowProperty succeeds but the
initial value of len is smaller than the total length of the property,
prop_return is freed and another call XGWP is made. If that subsequent
call fails, unless the subsequent

  if (format_ret == 0 || nitems_ret == 0)

ends up returning XcmsFailure, the freed value of prop_ret from the
previous call to XGWP will be returned.

This patches changes the funcion to behavior to return XcmsFailure
if the call do XGetWindowProperty fails.

Reviewed-by: Erkki Seppälä <erkki.seppala at vincit.fi>
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
---
 src/xcms/cmsProp.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c
index 856ae84..9294cc7 100644
--- a/src/xcms/cmsProp.c
+++ b/src/xcms/cmsProp.c
@@ -121,11 +121,12 @@ _XcmsGetProperty(
     long len = 6516;
     unsigned long nitems_ret, after_ret;
     Atom atom_ret;
+    int xgwp_ret;
 
-    while (XGetWindowProperty (pDpy, w, property, 0, len, False,
-			       XA_INTEGER, &atom_ret, &format_ret,
-			       &nitems_ret, &after_ret,
-			       (unsigned char **)&prop_ret)) {
+    while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+					   XA_INTEGER, &atom_ret, &format_ret,
+					   &nitems_ret, &after_ret,
+					   (unsigned char **)&prop_ret))) {
 	if (after_ret > 0) {
 	    len += nitems_ret * (format_ret >> 3);
 	    XFree (prop_ret);
@@ -133,7 +134,7 @@ _XcmsGetProperty(
 	    break;
 	}
     }
-    if (format_ret == 0 || nitems_ret == 0) {
+    if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) {
 	/* the property does not exist or is of an unexpected type */
 	return(XcmsFailure);
     }
-- 
1.7.0.4



More information about the xorg-devel mailing list