diff options
| author | Christophe Fergeau <cfergeau@redhat.com> | 2011-07-07 16:13:27 +0200 |
|---|---|---|
| committer | Christophe Fergeau <cfergeau@redhat.com> | 2011-07-18 18:15:39 +0200 |
| commit | 933ca15ff4bebd5346e99aefe0b4ba1ea77985c5 (patch) | |
| tree | 696db8e3184452a4c2d34ecfc5c2244504d03a57 /client | |
| parent | 40043d3bc2878fced8773a653660c428df013eb3 (diff) | |
| download | spice-933ca15ff4bebd5346e99aefe0b4ba1ea77985c5.tar.gz spice-933ca15ff4bebd5346e99aefe0b4ba1ea77985c5.tar.xz spice-933ca15ff4bebd5346e99aefe0b4ba1ea77985c5.zip | |
x11: don't return freed memory from get_clipboard
There is a double free in client/x11/platform.cpp.
In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
*data_ret (which is returned to the caller) has already been
assigned "data", so it will be pointing to freed memory when "data" is
XFree'd'. Then in handle_selection_notify, get_selection_free is called on
this pointer, which causes a double free.
When the length of the read data = 0, set the returned value to NULL,
this way subsequent free attempts will be a noop.
Fixes RH bug #710461
Diffstat (limited to 'client')
| -rw-r--r-- | client/x11/platform.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp index 910d61e8..fe98eae9 100644 --- a/client/x11/platform.cpp +++ b/client/x11/platform.cpp @@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format, } len = clipboard_data_size; *data_ret = clipboard_data; - } else - *data_ret = data; + } else { + if (len > 0) + *data_ret = data; + else + *data_ret = NULL; + } if (len > 0) ret_val = len; |