Bug 40577 - Missing bound checking in FreeSelectionProperty()

https://bugs.freedesktop.org/show_bug.cgi?id=40577 FreeSelectionProperty() did not check for the count of items in array and relied on a NULL terminated list, which can cause libXt to crash if FreeSelectionProperty() follows a call to GetSelectionProperty() which reallocates the array. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Olivier Fourdan <fourdan@xfce.org> 2011-09-20 16:45:02 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2011-10-03 09:33:55 -0700
commit: 9347b890ba24db41c7cb6c6e76564e4896bc8cac (patch)
tree: 1ffef403f63de69bfdf05c7693cd562cf4b5be05
parent: 5691187ced24b16a951e2b8308bcc2b65dd36eee (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/Selection.c b/src/Selection.c
index 101ea6a..f35cb44 100644
--- a/src/Selection.c
+++ b/src/Selection.c
@@ -237,6 +237,7 @@ static void FreeSelectionProperty(
     Atom prop)
 {
  SelectionProp p;
+ int propCount;
  PropList sarray;
  if (prop == None) return;
  LOCK_PROCESS;
@@ -247,7 +248,9 @@ static void FreeSelectionProperty(
 		"internal error: no selection property context for display",
 		 (String *)NULL,  (Cardinal *)NULL );
  UNLOCK_PROCESS;
- for (p = sarray->list; p; p++)
+ for (p = sarray->list, propCount=sarray->propCount;
+	propCount;
+	p++, propCount--)
    if (p->prop == prop) {
       p->avail = TRUE;
       return;
author	Olivier Fourdan <fourdan@xfce.org>	2011-09-20 16:45:02 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2011-10-03 09:33:55 -0700
commit	9347b890ba24db41c7cb6c6e76564e4896bc8cac (patch)
tree	1ffef403f63de69bfdf05c7693cd562cf4b5be05
parent	5691187ced24b16a951e2b8308bcc2b65dd36eee (diff)