From e82132c1d1a6a182d2844ae3de30eb1409e3505c Mon Sep 17 00:00:00 2001 From: Jesse Adkins Date: Wed, 4 Aug 2010 23:39:14 -0700 Subject: [PATCH] xfree86: parser: Never use heap memory for driver names (fixes #17438) When the parser sees the "keyboard" driver, it automatically (and silently) replaces it with "kbd" (from heap). Everybody else uses malloc'd memory for the driver name, so input device closure assumes it can use free. Free val.str, so this crash doesn't turn into a memory leak. Whew. Signed-off-by: Jesse Adkins --- hw/xfree86/parser/Input.c | 7 +++++-- hw/xfree86/parser/InputClass.c | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/xfree86/parser/Input.c b/hw/xfree86/parser/Input.c index 50869d4..6fd15f6 100644 --- a/hw/xfree86/parser/Input.c +++ b/hw/xfree86/parser/Input.c @@ -59,6 +59,7 @@ #include #endif +#include "os.h" #include "xf86Parser.h" #include "xf86tokens.h" #include "Configint.h" @@ -102,8 +103,10 @@ xf86parseInputSection (void) case DRIVER: if (xf86getSubToken (&(ptr->inp_comment)) != STRING) Error (QUOTE_MSG, "Driver"); - if (strcmp(val.str, "keyboard") == 0) - ptr->inp_driver = "kbd"; + if (strcmp(val.str, "keyboard") == 0) { + ptr->inp_driver = Xstrdup("kbd"); + free(val.str); + } else ptr->inp_driver = val.str; break; diff --git a/hw/xfree86/parser/InputClass.c b/hw/xfree86/parser/InputClass.c index ce611d9..080de07 100644 --- a/hw/xfree86/parser/InputClass.c +++ b/hw/xfree86/parser/InputClass.c @@ -111,8 +111,10 @@ xf86parseInputClassSection(void) case DRIVER: if (xf86getSubToken(&(ptr->comment)) != STRING) Error(QUOTE_MSG, "Driver"); - if (strcmp(val.str, "keyboard") == 0) - ptr->driver = "kbd"; + if (strcmp(val.str, "keyboard") == 0) { + ptr->driver = Xstrdup("kbd"); + free(val.str); + } else ptr->driver = val.str; break; -- 1.7.0.4