[PATCH] fix doPolyText use-after-free issue

Alan Hourihane alanh at fairlite.co.uk
Tue Oct 4 00:48:55 PDT 2011


Attached.

Thanks Jeremy. What's happening to the 1.10.x branch now ? Can this be
nominated for that too ?

Alan.

On 09/28/11 07:46, Jeremy Huddleston wrote:
> I missed this point at first.  The context is that in 'bail', c is accessed and expected to be the old value.
>
> Candidate for 1.11-branch
>
> Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>
>
> I think something is wrong with your mailer (or maybe mine).  I was unable to git-am this patch.  Can you please resend it as an attachment, and I'll git-am it into my tree.
>
> --Jeremy
>
> On Sep 27, 2011, at 6:51 AM, Alan Hourihane wrote:
>
>> dixfonts: Don't overwrite local c variable until new_closure is safely
>> initialized.
>>
>> Signed-off-by: Alan Hourihane <alanh at vmware.com>
>>
>> diff --git a/dix/dixfonts.c b/dix/dixfonts.c
>> index fbac124..d2bcb84 100644
>> --- a/dix/dixfonts.c
>> +++ b/dix/dixfonts.c
>> @@ -1302,31 +1302,30 @@ doPolyText(ClientPtr client, PTclosurePtr c)
>>             goto bail;
>>             }
>>             *new_closure = *c;
>> -            c = new_closure;
>>
>> -            len = c->endReq - c->pElt;
>> -            c->data = malloc(len);
>> -            if (!c->data)
>> +            len = new_closure->endReq - new_closure->pElt;
>> +            new_closure->data = malloc(len);
>> +            if (!new_closure->data)
>>             {
>> -            free(c);
>> +            free(new_closure);
>>             err = BadAlloc;
>>             goto bail;
>>             }
>> -            memmove(c->data, c->pElt, len);
>> -            c->pElt = c->data;
>> -            c->endReq = c->pElt + len;
>> +            memmove(new_closure->data, new_closure->pElt, len);
>> +            new_closure->pElt = new_closure->data;
>> +            new_closure->endReq = new_closure->pElt + len;
>>
>>             /* Step 2 */
>>
>> -            pGC = GetScratchGC(c->pGC->depth, c->pGC->pScreen);
>> +            pGC = GetScratchGC(new_closure->pGC->depth,
>> new_closure->pGC->pScreen);
>>             if (!pGC)
>>             {
>> -            free(c->data);
>> -            free(c);
>> +            free(new_closure->data);
>> +            free(new_closure);
>>             err = BadAlloc;
>>             goto bail;
>>             }
>> -            if ((err = CopyGC(c->pGC, pGC, GCFunction |
>> +            if ((err = CopyGC(new_closure->pGC, pGC, GCFunction |
>>                       GCPlaneMask | GCForeground |
>>                       GCBackground | GCFillStyle |
>>                       GCTile | GCStipple |
>> @@ -1337,15 +1336,16 @@ doPolyText(ClientPtr client, PTclosurePtr c)
>>                       Success)
>>             {
>>             FreeScratchGC(pGC);
>> -            free(c->data);
>> -            free(c);
>> +            free(new_closure->data);
>> +            free(new_closure);
>>             err = BadAlloc;
>>             goto bail;
>>             }
>> +            c = new_closure;
>>             origGC = c->pGC;
>>             c->pGC = pGC;
>>             ValidateGC(c->pDraw, c->pGC);
>> -            
>> +
>>             ClientSleep(client, (ClientSleepProcPtr)doPolyText, c);
>>
>>             /* Set up to perform steps 3 and 4 */
>>
>> _______________________________________________
>> xorg-devel at lists.x.org: X.Org development
>> Archives: http://lists.x.org/archives/xorg-devel
>> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dixfonts.c.patch
Type: text/x-patch
Size: 2058 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20111004/83a7ec95/attachment.bin>


More information about the xorg-devel mailing list