From eb8370d5e4cf3d68f05b679d3679f695542eddb1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 20 Jul 2024 16:35:48 -0700
Subject: XRecordGetContext: Avoid double free in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

XRecordFreeState() will handle the free for us, so let it.

Found by gcc 14.1:

XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’
 [CWE-416] [-Wanalyzer-use-after-free]
  514 |         if (state->client_info[i]->ranges) {
      |             ~~~~~~~~~~~~~~~~~~^~~
[...]
    |  455 |            free(client_inf);
    |      |            ~~~~~~~~~~~~~~~~
    |      |            |
    |      |            (18) freed here

Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>
---
 src/XRecord.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/XRecord.c b/src/XRecord.c
index e5357b9..efa47bd 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -452,10 +452,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
 	ret->client_info = client_inf;
         if (!client_inf || !client_inf_str)
         {
-	   free(client_inf);
 	   _XEatDataWords (dpy, rep.length);
 	   UnlockDisplay(dpy);
-	   XRecordFreeState(ret);
+	   XRecordFreeState(ret); /* frees ret->client_info, aka client_inf */
 	   SyncHandle();
 	   return 0;
         }
-- 
cgit v1.2.3