From 933ca15ff4bebd5346e99aefe0b4ba1ea77985c5 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Thu, 7 Jul 2011 16:13:27 +0200
Subject: x11: don't return freed memory from get_clipboard

There is a double free in client/x11/platform.cpp.
In get_selection(), in the exit: case with ret_val == -1 and data != NULL,
*data_ret (which is returned to the caller) has already been
assigned "data", so it will be pointing to freed memory when "data" is
XFree'd'. Then in handle_selection_notify, get_selection_free is called on
this pointer, which causes a double free.
When the length of the read data = 0, set the returned value to NULL,
this way subsequent free attempts will be a noop.
Fixes RH bug #710461
---
 client/x11/platform.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'client/x11/platform.cpp')

diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
index 910d61e8..fe98eae9 100644
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format,
         }
         len = clipboard_data_size;
         *data_ret = clipboard_data;
-    } else
-        *data_ret = data;
+    } else {
+        if (len > 0)
+            *data_ret = data;
+        else
+            *data_ret = NULL;
+    }
 
     if (len > 0)
         ret_val = len;
-- 
cgit