[PATCH 19/25] [libx11] Using freed pointer "prop_ret"
Erkki Seppälä
erkki.seppala at vincit.fi
Mon Jan 31 03:07:26 PST 2011
From: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
In the case were a first call to XGetWindowProperty succeeds but the
initial value of len is smaller than the total length of the property,
prop_return is freed and another call XGWP is made. If that subsequent
call fails, unless the subsequent
if (format_ret == 0 || nitems_ret == 0)
ends up returning XcmsFailure, the freed value of prop_ret from the
previous call to XGWP will be returned.
This patches changes the funcion to behavior to return XcmsFailure
if the call do XGetWindowProperty fails.
Reviewed-by: Erkki Seppälä <erkki.seppala at vincit.fi>
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
Signed-off-by: Erkki Seppälä <erkki.seppala at vincit.fi>
---
src/xcms/cmsProp.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c
index 856ae84..9294cc7 100644
--- a/src/xcms/cmsProp.c
+++ b/src/xcms/cmsProp.c
@@ -121,11 +121,12 @@ _XcmsGetProperty(
long len = 6516;
unsigned long nitems_ret, after_ret;
Atom atom_ret;
+ int xgwp_ret;
- while (XGetWindowProperty (pDpy, w, property, 0, len, False,
- XA_INTEGER, &atom_ret, &format_ret,
- &nitems_ret, &after_ret,
- (unsigned char **)&prop_ret)) {
+ while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+ XA_INTEGER, &atom_ret, &format_ret,
+ &nitems_ret, &after_ret,
+ (unsigned char **)&prop_ret))) {
if (after_ret > 0) {
len += nitems_ret * (format_ret >> 3);
XFree (prop_ret);
@@ -133,7 +134,7 @@ _XcmsGetProperty(
break;
}
}
- if (format_ret == 0 || nitems_ret == 0) {
+ if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) {
/* the property does not exist or is of an unexpected type */
return(XcmsFailure);
}
--
1.7.0.4
More information about the xorg-devel
mailing list