44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
|
From c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Matthieu Herrb <matthieu@herrb.eu>
|
||
|
|
Date: Thu, 12 Jan 2023 15:05:39 +1000
|
||
|
|
Subject: [PATCH] Prevent a double free in the error code path
|
||
|
|
|
||
|
|
xpmParseDataAndCreate() calls XDestroyImage() in the error path.
|
||
|
|
Reproducible with sxpm "zero-width.xpm", that file is in the test/
|
||
|
|
directory.
|
||
|
|
|
||
|
|
The same approach is needed in the bytes_per_line == 0 condition though
|
||
|
|
here it just plugs a memory leak.
|
||
|
|
|
||
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
|
|
||
|
|
Origin:
|
||
|
|
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d2135dbebe9a367c5f0
|
||
|
|
---
|
||
|
|
lib/Xm/Xpmcreate.c | 6 +++++-
|
||
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/lib/Xm/Xpmcreate.c b/lib/Xm/Xpmcreate.c
|
||
|
|
index d0f3c3b..01c5d1a 100644
|
||
|
|
--- a/lib/Xm/Xpmcreate.c
|
||
|
|
+++ b/lib/Xm/Xpmcreate.c
|
||
|
|
@@ -954,10 +954,14 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
|
||
|
|
#ifndef FOR_MSW
|
||
|
|
if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
|
||
|
|
XDestroyImage(*image_return);
|
||
|
|
+ *image_return = NULL;
|
||
|
|
return (XpmNoMemory);
|
||
|
|
}
|
||
|
|
- if((*image_return)->bytes_per_line == 0 || height == 0)
|
||
|
|
+ if((*image_return)->bytes_per_line == 0 || height == 0) {
|
||
|
|
+ XDestroyImage(*image_return);
|
||
|
|
+ *image_return = NULL;
|
||
|
|
return XpmNoMemory;
|
||
|
|
+ }
|
||
|
|
/* now that bytes_per_line must have been set properly alloc data */
|
||
|
|
(*image_return)->data =
|
||
|
|
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
|
||
|
|
--
|
||
|
|
2.46.0
|
||
|
|
|