diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2012-05-26 15:07:07 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2012-05-28 10:03:09 -0700 |
| commit | 52081b462ff7d1844d014bf9be887197caa88160 (patch) | |
| tree | ad0954c1918125cc20339c86cea7e4f3d080ee55 | |
| parent | ca35cff72a3100c9367b7e7f4811117c8733b8be (diff) | |
| download | xorg-lib-libXaw-52081b462ff7d1844d014bf9be887197caa88160.tar.gz | |
Only call XawStackFree if XawStackAlloc was used for allocation
In FormParagraph() in TextAction.c, the #if OLDXAW case always uses
fixed length buffers, while the !OLDXAW case uses XawStackAlloc &
XawStackFree to switch to dynamic allocations when the buffers aren't
large enough.
A couple instances of XawStackFree slipped into the wrong side of
the #if checks though, so move them back where they belong. Also
reset pos afterwards, in the case we continue and may use it again,
to avoid the chance of a double free.
Found by the Parfait 0.5.0.1 bug checking tool:
Error: Free memory not allocated dynamically by alloc (CWE 590)
Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
at line 3946 of TextAction.c in function 'FormParagraph'.
'buf' allocated at line 0 as auto variable.
at line 4000 of TextAction.c in function 'FormParagraph'.
'buf' allocated at line 0 as auto variable.
Error: Use after free (CWE 416)
Use after free of pointer '&buf'
at line 3995 of TextAction.c in function 'FormParagraph'.
Previously freed at line 3946 with XtFree.
Error: Use after free
Double free (CWE 415): Double free of pointer '&buf' in call to XtFree
at line 4000 of TextAction.c in function 'FormParagraph'.
Previously freed at line 3946 with XtFree.
Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree
at line 4000 of TextAction.c in function 'FormParagraph'.
Previously freed at line 3946 with XtFree.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
| -rw-r--r-- | src/TextAction.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/TextAction.c b/src/TextAction.c index fe7e573..7b87ce4 100644 --- a/src/TextAction.c +++ b/src/TextAction.c @@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) } if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) { + XawStackFree(pos, buf); + pos = buf; #else from = SrcScan(ctx->text.source, ctx->text.insertPos, XawstParagraph, XawsdLeft, 1, False); @@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) { #endif - XawStackFree(pos, buf); XBell(XtDisplay(w), 0); #ifndef OLDXAW if (undo) { @@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params) XawsdLeft, 1, False), False); tw->text.clear_to_eol = True; } + XawStackFree(pos, buf); #else ctx->text.old_insert = ctx->text.insertPos = *pos; _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top, XawstEOL, XawsdLeft, 1, False), False); ctx->text.clear_to_eol = True; #endif - XawStackFree(pos, buf); ctx->text.showposition = True; EndAction(ctx); |