Bug 93184 - read_EncodingInfo invalid free
Summary: read_EncodingInfo invalid free
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-30 21:57 UTC by Sami Farin
Modified: 2015-12-19 17:15 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Sami Farin 2015-11-30 21:57:03 UTC 
snipped some lines
    FontData font_data = Xcalloc(count, sizeof(FontDataRec));
    for ( ; count-- > 0; font_data++) {
        font_data->name = Xmalloc(len + 1);
        if (font_data->name == NULL) {
            Xfree(font_data);
            return NULL;
        }

if count>0 and Xmalloc(len + 1) fails after first for loop, free() is called on invalid pointer (malloc()ed ptr font_data offset by 280 bytes on my system).
did you mean to Xfree(ret) ?  you also leak the other successful font_data->name malloc()s doing this.
Comment 1 Alan Coopersmith 2015-12-04 07:32:09 UTC 
Proposed fix posted for review:
http://patchwork.freedesktop.org/patch/67088/
Comment 2 Alan Coopersmith 2015-12-19 17:15:52 UTC 
Fix pushed to git master:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=07a97b3944467dce085a1efd24706cc851d2caf2

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.