summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2024-07-20 16:35:48 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2024-07-20 16:44:05 -0700
commiteb8370d5e4cf3d68f05b679d3679f695542eddb1 (patch)
treee7e6410b469b3b857f5e7e5fa8aae430024a7b8a /src
parentc542acce77be47156e53b74f5f9ca7156b3de7f5 (diff)
XRecordGetContext: Avoid double free in error path
XRecordFreeState() will handle the free for us, so let it. Found by gcc 14.1: XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’ [CWE-416] [-Wanalyzer-use-after-free] 514 | if (state->client_info[i]->ranges) { | ~~~~~~~~~~~~~~~~~~^~~ [...] | 455 | free(client_inf); | | ~~~~~~~~~~~~~~~~ | | | | | (18) freed here Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]") Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>
Diffstat (limited to 'src')
-rw-r--r--src/XRecord.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/src/XRecord.c b/src/XRecord.c
index e5357b9..efa47bd 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -452,10 +452,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
ret->client_info = client_inf;
if (!client_inf || !client_inf_str)
{
- free(client_inf);
_XEatDataWords (dpy, rep.length);
UnlockDisplay(dpy);
- XRecordFreeState(ret);
+ XRecordFreeState(ret); /* frees ret->client_info, aka client_inf */
SyncHandle();
return 0;
}