diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2012-05-26 15:07:07 -0700 | 
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2012-05-28 10:03:09 -0700 | 
| commit | 52081b462ff7d1844d014bf9be887197caa88160 (patch) | |
| tree | ad0954c1918125cc20339c86cea7e4f3d080ee55 | |
| parent | ca35cff72a3100c9367b7e7f4811117c8733b8be (diff) | |
Only call XawStackFree if XawStackAlloc was used for allocation
In FormParagraph() in TextAction.c, the #if OLDXAW case always uses
fixed length buffers, while the !OLDXAW case uses XawStackAlloc &
XawStackFree to switch to dynamic allocations when the buffers aren't
large enough.
A couple instances of XawStackFree slipped into the wrong side of
the #if checks though, so move them back where they belong.   Also
reset pos afterwards, in the case we continue and may use it again,
to avoid the chance of a double free.
Found by the Parfait 0.5.0.1 bug checking tool:
Error: Free memory not allocated dynamically by alloc (CWE 590)
   Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
        at line 3946 of TextAction.c in function 'FormParagraph'.
          'buf' allocated at line 0 as auto variable.
        at line 4000 of TextAction.c in function 'FormParagraph'.
          'buf' allocated at line 0 as auto variable.
Error: Use after free (CWE 416)
   Use after free of pointer '&buf'
        at line 3995 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.
Error: Use after free
   Double free (CWE 415): Double free of pointer '&buf' in call to XtFree
        at line 4000 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.
   Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree
        at line 4000 of TextAction.c in function 'FormParagraph'.
          Previously freed at line 3946 with XtFree.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
| -rw-r--r-- | src/TextAction.c | 5 | 
1 files changed, 3 insertions, 2 deletions
| diff --git a/src/TextAction.c b/src/TextAction.c index fe7e573..7b87ce4 100644 --- a/src/TextAction.c +++ b/src/TextAction.c @@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)      }      if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) { +	XawStackFree(pos, buf); +	pos = buf;  #else      from =  SrcScan(ctx->text.source, ctx->text.insertPos,  		    XawstParagraph, XawsdLeft, 1, False); @@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)      if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) {  #endif -	XawStackFree(pos, buf);  	XBell(XtDisplay(w), 0);  #ifndef OLDXAW  	if (undo) { @@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)  			       XawsdLeft, 1, False), False);  	tw->text.clear_to_eol = True;      } +    XawStackFree(pos, buf);  #else      ctx->text.old_insert = ctx->text.insertPos = *pos;      _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top,  			   XawstEOL, XawsdLeft, 1, False), False);      ctx->text.clear_to_eol = True;  #endif -    XawStackFree(pos, buf);      ctx->text.showposition = True;      EndAction(ctx); | 
