[PATCH libXrandr] Avoid out of boundary accesses on illegal responses
Tobias Stoeckmann
tobias at stoeckmann.org
Sat Jan 7 18:15:42 UTC 2017
Hi Julien,
On Sat, Jan 07, 2017 at 07:03:17PM +0100, Julien Cristau wrote:
> It looks like we're leaking 'attr' on these error paths?
confirmed. That is what I get for copying the error handling of the
attr == NULL case...
diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
index 6665092..8316b78 100644
--- a/src/XrrCrtc.c
+++ b/src/XrrCrtc.c
@@ -459,6 +459,7 @@ XRRGetCrtcTransform (Display *dpy,
e = extra;
if (e + rep.pendingNbytesFilter > end) {
+ XFree (attr);
XFree (extra);
return False;
}
@@ -468,6 +469,7 @@ XRRGetCrtcTransform (Display *dpy,
for (p = 0; p < rep.pendingNparamsFilter; p++) {
INT32 f;
if (e + 4 > end) {
+ XFree (attr);
XFree (extra);
return False;
}
@@ -478,6 +480,7 @@ XRRGetCrtcTransform (Display *dpy,
attr->pendingNparams = rep.pendingNparamsFilter;
if (e + rep.currentNbytesFilter > end) {
+ XFree (attr);
XFree (extra);
return False;
}
@@ -487,6 +490,7 @@ XRRGetCrtcTransform (Display *dpy,
for (p = 0; p < rep.currentNparamsFilter; p++) {
INT32 f;
if (e + 4 > end) {
+ XFree (attr);
XFree (extra);
return False;
}
More information about the xorg-devel
mailing list