diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-02-11 14:20:24 -0800 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:38 +0200 |
| commit | 290f94aea2b6cf0b265bce33cadcf2f2cbcacd53 (patch) | |
| tree | ff319e3f67a0e74cd2e86c662c0c0c2c0ca190b8 | |
| parent | 93615472844ddbf5c530ad911332e5f316aa21b1 (diff) | |
| download | nx-libs-290f94aea2b6cf0b265bce33cadcf2f2cbcacd53.tar.gz nx-libs-290f94aea2b6cf0b265bce33cadcf2f2cbcacd53.tar.bz2 nx-libs-290f94aea2b6cf0b265bce33cadcf2f2cbcacd53.zip | |
ximcp: Prevent memory leak & double free if multiple %L in string
In the highly unlikely event that TransFileName was passed a path
containing multiple %L entries, for each entry it would call
_XlcFileName, leaking the previous results, and then for each entry it
would copy from that pointer and free it, resulting in invalid pointers
& possible double frees for each use after the first one freed it.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 358 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 359 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Double free (CWE 415)
Double free of pointer 'lcCompose'
at line 360 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
[ This bug was found by the Parfait 0.3.6 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ac417cea1136a3617f5e40f4b106aaa3f48d6c2)
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| -rw-r--r-- | nx-X11/lib/X11/imLcPrs.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c index 4dbcbbed4..549fe523a 100644 --- a/nx-X11/lib/X11/imLcPrs.c +++ b/nx-X11/lib/X11/imLcPrs.c @@ -321,7 +321,8 @@ TransFileName(Xim im, char *name) l += strlen(home); break; case 'L': - lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE); + if (lcCompose == NULL) + lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE); if (lcCompose) l += strlen(lcCompose); break; @@ -357,7 +358,6 @@ TransFileName(Xim im, char *name) if (lcCompose) { strcpy(j, lcCompose); j += strlen(lcCompose); - Xfree(lcCompose); } break; case 'S': @@ -371,6 +371,7 @@ TransFileName(Xim im, char *name) } } *j = '\0'; + Xfree(lcCompose); return ret; } |