From eb8370d5e4cf3d68f05b679d3679f695542eddb1 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 20 Jul 2024 16:35:48 -0700 Subject: XRecordGetContext: Avoid double free in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit XRecordFreeState() will handle the free for us, so let it. Found by gcc 14.1: XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’ [CWE-416] [-Wanalyzer-use-after-free] 514 | if (state->client_info[i]->ranges) { | ~~~~~~~~~~~~~~~~~~^~~ [...] | 455 | free(client_inf); | | ~~~~~~~~~~~~~~~~ | | | | | (18) freed here Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]") Signed-off-by: Alan Coopersmith Part-of: --- src/XRecord.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/XRecord.c') diff --git a/src/XRecord.c b/src/XRecord.c index e5357b9..efa47bd 100644 --- a/src/XRecord.c +++ b/src/XRecord.c @@ -452,10 +452,9 @@ XRecordGetContext(Display *dpy, XRecordContext context, ret->client_info = client_inf; if (!client_inf || !client_inf_str) { - free(client_inf); _XEatDataWords (dpy, rep.length); UnlockDisplay(dpy); - XRecordFreeState(ret); + XRecordFreeState(ret); /* frees ret->client_info, aka client_inf */ SyncHandle(); return 0; } -- cgit v1.2.3