Discussion:
[PATCH app/twm 1/2] When replacing a colormap, free old map, not new one
Alan Coopersmith
2018-09-30 21:44:35 UTC
Permalink
Found by Oracle's Parfait 2.2 static analyzer:

Error: Use after free
Use after free [use-after-free] (CWE 416):
Use after free of pointer Scr
at line 421 of src/util.c in function 'InsertRGBColormap'.
Invalid pointer accessible via global Scr at line 105 of src/twm.c
maps escapes to sc->maps at line 419 of src/util.c in function 'InsertRGBColormap'
maps freed with XFree at line 406

Signed-off-by: Alan Coopersmith <***@oracle.com>
---
src/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util.c b/src/util.c
index 8e9dab9..e254cd5 100644
--- a/src/util.c
+++ b/src/util.c
@@ -403,7 +403,7 @@ InsertRGBColormap (Atom a, XStandardColormap *maps, int nmaps, Bool replace)
}

if (replace) { /* just update contents */
- if (sc->maps) XFree (maps);
+ if (sc->maps) XFree (sc->maps);
if (sc == Scr->StdCmapInfo.mru) Scr->StdCmapInfo.mru = NULL;
} else { /* else appending */
sc->next = NULL;
--
2.15.2

_______________________________________________
xorg-***@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinf
Alan Coopersmith
2018-09-30 21:44:36 UTC
Permalink
Found by Oracle's Parfait 2.2 static analyzer:

Error: Memory leak
Memory leak [memory-leak] (CWE 401):
Memory leak of pointer sc allocated with malloc(32)
at line 421 of src/util.c in function 'InsertRGBColormap'.
sc allocated at line 397 with malloc(32)
sc leaks when replace != 0 at line 405.

Signed-off-by: Alan Coopersmith <***@oracle.com>
---
src/util.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/util.c b/src/util.c
index e254cd5..acc8769 100644
--- a/src/util.c
+++ b/src/util.c
@@ -400,6 +400,7 @@ InsertRGBColormap (Atom a, XStandardColormap *maps, int nmaps, Bool replace)
ProgramName, (unsigned long)sizeof (StdCmap));
return;
}
+ replace = False;
}

if (replace) { /* just update contents */
--
2.15.2

_______________________________________________
xorg-***@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists
Walter Harms
2018-10-11 19:14:32 UTC
Permalink
Post by Alan Coopersmith
Error: Use after free
Use after free of pointer Scr
at line 421 of src/util.c in function 'InsertRGBColormap'.
Invalid pointer accessible via global Scr at line 105 of src/twm.c
maps escapes to sc->maps at line 419 of src/util.c in function
'InsertRGBColormap'
maps freed with XFree at line 406
---
src/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util.c b/src/util.c
index 8e9dab9..e254cd5 100644
--- a/src/util.c
+++ b/src/util.c
@@ -403,7 +403,7 @@ InsertRGBColormap (Atom a, XStandardColormap *maps, int
nmaps, Bool replace)
}
if (replace) { /* just update contents */
- if (sc->maps) XFree (maps);
+ if (sc->maps) XFree (sc->maps);
just
XFree (sc->maps);

is sufficient

re,
wh
Post by Alan Coopersmith
if (sc == Scr->StdCmapInfo.mru) Scr->StdCmapInfo.mru = NULL;
} else { /* else appending */
sc->next = NULL;
--
2.15.2
_______________________________________________
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel
_______________________________________________
xorg-***@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: h

Loading...