Hi list, this fixes a problem where data of window properties is freed without the reference being replaced, leading to multiple frees and makes bad things happen when the memory is reused(crashes).
This happens very seldom, since most of the time there is no data attached to the property or it is replaced. It takes quite some time to trigger when editing in emacs using the gtk gui. To my knowledge, no other program had this problem. Regards, Pierre
>From beff1cbe069a2d0ae17293bc1c9881dca641c24f Mon Sep 17 00:00:00 2001 From: Pierre Willenbrock <[email protected]> Date: Tue, 21 Jul 2009 17:21:28 +0200 Subject: [PATCH] Check if new space was actually allocated before freeing. There will be no new space allocated, if mode != PropModeReplace and len == 0, or if mode is not one of the handled modes. This fixes freeing data that is still in use, leading to double frees and other memory corruption. --- dix/property.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/dix/property.c b/dix/property.c index 20c18d7..a007aa6 100644 --- a/dix/property.c +++ b/dix/property.c @@ -350,10 +350,15 @@ dixChangeWindowProperty(ClientPtr pClient, WindowPtr pWin, Atom property, /* Allow security modules to check the new content */ access_mode |= DixPostAccess; rc = XaceHookPropertyAccess(pClient, pWin, &pProp, access_mode); - if (rc == Success) - xfree(savedProp.data); - else { - xfree(pProp->data); + if (rc == Success) + { + if (savedProp.data != pProp->data) + xfree(savedProp.data); + } + else + { + if (savedProp.data != pProp->data) + xfree(pProp->data); *pProp = savedProp; return rc; } -- 1.6.3.3
_______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
