Fix possible memory corruption (FS#734)
The memory referred to by the reply argument of property_update_wm_protocols is automatically free'd by xcb later on, so it is not safe to simply use the value of reply in our own data structures. If we did this, future calls to xcb_get_wm_protocols_reply_wipe free the data which has already been free'd by xcb, causing a double-free and corrupting the heap. In addition, it isn't safe to use free'd memory as if it is still allocated. Instead, duplicate the data referred to by reply and use the duplicate instead. It seems to me as if the duplication should actually be done in xcb_get_wm_protocols_from_reply, but I'm not really sure. If that is the case, this is simply a work-around until xcb can be fixed. Signed-off-by: Ari Entlich <atrigent@ccs.neu.edu> Signed-off-by: Julien Danjou <julien@danjou.info>
This commit is contained in:
parent
a89c94e9d7
commit
68b46c5bd2
|
@ -313,12 +313,18 @@ void
|
||||||
property_update_wm_protocols(client_t *c, xcb_get_property_reply_t *reply)
|
property_update_wm_protocols(client_t *c, xcb_get_property_reply_t *reply)
|
||||||
{
|
{
|
||||||
xcb_get_wm_protocols_reply_t protocols;
|
xcb_get_wm_protocols_reply_t protocols;
|
||||||
|
xcb_get_property_reply_t *reply_copy;
|
||||||
|
|
||||||
if(reply)
|
if(reply)
|
||||||
{
|
{
|
||||||
if(!xcb_get_wm_protocols_from_reply(reply, &protocols))
|
reply_copy = p_dup(reply, 1);
|
||||||
|
|
||||||
|
if(!xcb_get_wm_protocols_from_reply(reply_copy, &protocols))
|
||||||
|
{
|
||||||
|
p_delete(&reply_copy);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* If this fails for any reason, we still got the old value */
|
/* If this fails for any reason, we still got the old value */
|
||||||
|
|
Loading…
Reference in New Issue