diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-02-11 14:20:24 -0800 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-02-11 14:42:37 -0800 |
| commit | 6ac417cea1136a3617f5e40f4b106aaa3f48d6c2 (patch) | |
| tree | 5af3446a556c409ea8c599d1dfa9745159d88f95 | |
| parent | 502d414118c97d35a44f8e295709682022876331 (diff) | |
ximcp: Prevent memory leak & double free if multiple %L in string
In the highly unlikely event that TransFileName was passed a path
containing multiple %L entries, for each entry it would call
_XlcFileName, leaking the previous results, and then for each entry it
would copy from that pointer and free it, resulting in invalid pointers
& possible double frees for each use after the first one freed it.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 358 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 359 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Double free (CWE 415)
Double free of pointer 'lcCompose'
at line 360 of modules/im/ximcp/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
[ This bug was found by the Parfait 0.3.6 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | modules/im/ximcp/imLcPrs.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/modules/im/ximcp/imLcPrs.c b/modules/im/ximcp/imLcPrs.c index 75449ef2..4e54385b 100644 --- a/modules/im/ximcp/imLcPrs.c +++ b/modules/im/ximcp/imLcPrs.c @@ -321,7 +321,8 @@ TransFileName(Xim im, char *name) l += strlen(home); break; case 'L': - lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE); + if (lcCompose == NULL) + lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE); if (lcCompose) l += strlen(lcCompose); break; @@ -357,7 +358,6 @@ TransFileName(Xim im, char *name) if (lcCompose) { strcpy(j, lcCompose); j += strlen(lcCompose); - Xfree(lcCompose); } break; case 'S': @@ -371,6 +371,7 @@ TransFileName(Xim im, char *name) } } *j = '\0'; + Xfree(lcCompose); return ret; } |