[PATCH] xserver: Fix double free's in config file parser
Benjamin Herrenschmidt
benh at kernel.crashing.org
Thu Jul 14 00:03:47 PDT 2011
Feeding the parser a bad config file, I crashed the server a few times.
It looks like whoever free's "val.str" (yeah, "val" is a global .. yuck)
is also responsible for clearing the pointer or something else might try
to free it again some time later.
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
---
diff -urN xorg-server-1.10.2.902.orig/hw/xfree86/parser/Input.c xorg-server-1.10.2.902/hw/xfree86/parser/Input.c
--- xorg-server-1.10.2.902.orig/hw/xfree86/parser/Input.c 2011-02-25 14:27:14.000000000 +1100
+++ xorg-server-1.10.2.902/hw/xfree86/parser/Input.c 2011-07-14 16:57:18.912426863 +1000
@@ -106,6 +106,7 @@
if (strcmp(val.str, "keyboard") == 0) {
ptr->inp_driver = strdup("kbd");
free(val.str);
+ val.str = NULL;
}
else
ptr->inp_driver = val.str;
diff -urN xorg-server-1.10.2.902.orig/hw/xfree86/parser/InputClass.c xorg-server-1.10.2.902/hw/xfree86/parser/InputClass.c
--- xorg-server-1.10.2.902.orig/hw/xfree86/parser/InputClass.c 2011-02-25 14:27:14.000000000 +1100
+++ xorg-server-1.10.2.902/hw/xfree86/parser/InputClass.c 2011-07-14 16:57:28.608402699 +1000
@@ -114,6 +114,7 @@
if (strcmp(val.str, "keyboard") == 0) {
ptr->driver = strdup("kbd");
free(val.str);
+ val.str = NULL;
}
else
ptr->driver = val.str;
diff -urN xorg-server-1.10.2.902.orig/hw/xfree86/parser/Screen.c xorg-server-1.10.2.902/hw/xfree86/parser/Screen.c
--- xorg-server-1.10.2.902.orig/hw/xfree86/parser/Screen.c 2011-02-25 14:27:14.000000000 +1100
+++ xorg-server-1.10.2.902/hw/xfree86/parser/Screen.c 2011-07-14 16:56:38.492527593 +1000
@@ -316,6 +316,7 @@
Error (QUOTE_MSG, "SubSection");
{
free(val.str);
+ val.str = NULL;
HANDLE_LIST (scrn_display_lst, xf86parseDisplaySubSection,
XF86ConfDisplayPtr);
}
More information about the xorg-devel
mailing list