[PATCH] Fix double-free conditions in X devd backend
Robert Millan
rmh at freebsd.org
Thu Feb 13 23:30:22 UTC 2014
On 03/02/2014 14:25, Robert Millan wrote:
> On 01/02/2014 23:16, Baptiste Daroussin wrote:
>> On Sat, Feb 01, 2014 at 01:39:48AM +0100, Robert Millan wrote:
>>>
>>> Hi Baptiste,
>>>
>>> Is the devd backend you wrote for X still maintained? If so, I've fixed a
>>> few problems (including a 100% reproducible heap corruption!). Shall I send
>>> patches your way?
>>>
>>
>> Yes it is please send the patches to the x11@ mailing list CC me .
>
> Okay, here's the first one which fixes three conditions that could lead to
> double-free:
>
> - xstrdup(path) before passing it to input_option_new() a second time. This
> avoids the potential for double-free when the callee deallocates them.
>
> - Fix another double-free condition: socket_getline() is expected by its caller
> to set **out as a pointer to an allocated block whenever it returns a
> non-negative value. Therefore do not free() buf when its strlen() is zero.
>
> - The routine in wakeup_handler() ends with a "free(line)" so the `line'
> variable must not be tampered with. This issue is 100% reproducible and
> in my system results in an X server crash each time a mouse/keyboard is
> plugged/unplugged!
>
Rediffed against:
http://trillian.chruetertee.ch/ports/browser/trunk/x11-servers/xorg-server/files/extra-devd
--
Robert Millan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: double-free.diff
Type: text/x-patch
Size: 862 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-x11/attachments/20140213/0f298e77/attachment.bin>
More information about the freebsd-x11
mailing list