diff options
author | Tilman Sauerbeck <tilman@code-monkey.de> | 2006-11-25 05:29:31 -0800 |
---|---|---|
committer | Jamey Sharp <jamey@minilop.net> | 2006-11-25 05:29:31 -0800 |
commit | d56e78acce9b2aa1dd1bf172afedaa3bccd5e1c8 (patch) | |
tree | 78e89182bbedec2b4c3582848d09c4be51ec835f | |
parent | 934ca763bbc0dd7ae460469bfc000ba101602bcc (diff) |
Bug #9153: Fix access to freed memory.
The fix for bug #8622 introduced a smaller bug where _XReply would
read memory shortly after freeing it. This patch caches the needed
value in a stack-allocated variable before the heap-allocated memory
is freed.
-rw-r--r-- | src/xcb_io.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/xcb_io.c b/src/xcb_io.c index 99bb72fa..ba892f8d 100644 --- a/src/xcb_io.c +++ b/src/xcb_io.c @@ -346,6 +346,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard) xcb_connection_t *c = dpy->xcb->connection; char *reply; PendingRequest *current; + unsigned int current_sequence; assert(!dpy->xcb->reply_data); @@ -363,13 +364,18 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard) check_internal_connections(dpy); process_responses(dpy, 0, &error, current->sequence); + current_sequence = current->sequence; + remove_pending_request(dpy, current); if(current->waiters) { /* The ConditionBroadcast macro contains an if; braces needed here. */ ConditionBroadcast(dpy, ¤t->condition); } else + { free(current); + current = NULL; + } if(error) { @@ -424,7 +430,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard) return 0; } - dpy->last_request_read = current->sequence; + dpy->last_request_read = current_sequence; /* there's no error and we have a reply. */ dpy->xcb->reply_data = reply; |