[PATCH libX11] Fix wrong Xfree in XListFonts failure path

Peter Hutterer peter.hutterer at who-t.net
Sun Jan 8 23:29:27 UTC 2017 

On Sat, Jan 07, 2017 at 09:55:34AM -0800, Alan Coopersmith wrote:
> Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> 
> Looks like this bug was introduced just after the 1.6.4 release and hasn't
> made it out into a libX11 release yet - thanks for catching it in time.
> 
> 	-alan-

   663f470..c74b070  master -> master


thanks

Cheers,
   Peter

> 
> On 01/ 7/17 07:20 AM, Julien Cristau wrote:
> > 'ch' gets moved inside the allocated buffer as we're looping through
> > fonts, so keep a reference to the start of the buffer so we can pass
> > that to Xfree in the failure case.
> > 
> > Fixes: commit 20a3f99eba5001925b8b313da3accb7900eb1927 "Plug a memory leak"
> > 
> > Signed-off-by: Julien Cristau <jcristau at debian.org>
> > ---
> >  src/FontNames.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/FontNames.c b/src/FontNames.c
> > index 3e23b5f4..9ffdfd29 100644
> > --- a/src/FontNames.c
> > +++ b/src/FontNames.c
> > @@ -43,6 +43,7 @@ int *actualCount)	/* RETURN */
> >      register int length;
> >      char **flist = NULL;
> >      char *ch = NULL;
> > +    char *chstart;
> >      char *chend;
> >      int count = 0;
> >      xListFontsReply rep;
> > @@ -86,6 +87,7 @@ int *actualCount)	/* RETURN */
> >  	/*
> >  	 * unpack into null terminated strings.
> >  	 */
> > +	chstart = ch;
> >  	chend = ch + (rlen + 1);
> >  	length = *(unsigned char *)ch;
> >  	*ch = 1; /* make sure it is non-zero for XFreeFontNames */
> > @@ -98,14 +100,14 @@ int *actualCount)	/* RETURN */
> >  		    *ch = '\0';  /* and replace with null-termination */
> >  		    count++;
> >  		} else {
> > -                    Xfree(ch);
> > +                    Xfree(chstart);
> >                      Xfree(flist);
> >                      flist = NULL;
> >                      count = 0;
> >                      break;
> >  		}
> >  	    } else {
> > -                Xfree(ch);
> > +                Xfree(chstart);
> >                  Xfree(flist);
> >                  flist = NULL;
> >                  count = 0;
> > 
> 
> 
> -- 
> 	-Alan Coopersmith-              alan.coopersmith at oracle.com
> 	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: https://lists.x.org/mailman/listinfo/xorg-devel
>

More information about the xorg-devel mailing list