diff options
| author | Matthieu Herrb <matthieu@herrb.eu> | 2023-10-14 19:06:22 +0200 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2024-10-22 21:07:14 +0000 |
| commit | e3e14369c62a3647b8f125d9dcb7072f370c10f1 (patch) | |
| tree | 57ba749bfdfe73767c3f3c522c94676d2940a284 | |
| parent | 4adb5d589f4bb90bf0ff9f1c88096ce60c41286c (diff) | |
Fix a double-free on syntax error without a new line.
$ echo "#foo\nfoo" > custom_config $ X -config custom_config
will trigger the double free because the contents of xf86_lex_val.str
have been realloc()ed aready when free is called in read.c:209.
This copies the lex token and adds all the necessary free() calls to
avoid leaking it
(cherry picked from commit fbc034e847a3862a0a28e5872135a3c502da6518)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
| -rw-r--r-- | hw/xfree86/parser/DRI.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Device.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Extensions.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Files.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Flags.c | 16 | ||||
| -rw-r--r-- | hw/xfree86/parser/Input.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/InputClass.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Layout.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Module.c | 11 | ||||
| -rw-r--r-- | hw/xfree86/parser/Monitor.c | 6 | ||||
| -rw-r--r-- | hw/xfree86/parser/OutputClass.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Pointer.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/Screen.c | 4 | ||||
| -rw-r--r-- | hw/xfree86/parser/Vendor.c | 4 | ||||
| -rw-r--r-- | hw/xfree86/parser/Video.c | 4 | ||||
| -rw-r--r-- | hw/xfree86/parser/read.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/parser/scan.c | 14 |
17 files changed, 69 insertions, 10 deletions
diff --git a/hw/xfree86/parser/DRI.c b/hw/xfree86/parser/DRI.c index 31f447d05..933e69f30 100644 --- a/hw/xfree86/parser/DRI.c +++ b/hw/xfree86/parser/DRI.c @@ -77,6 +77,8 @@ xf86parseDRISection(void) break; case COMMENT: ptr->dri_comment = xf86addComment(ptr->dri_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; default: Error(INVALID_KEYWORD_MSG, xf86tokenString()); diff --git a/hw/xfree86/parser/Device.c b/hw/xfree86/parser/Device.c index 34b7f6557..d0d057adc 100644 --- a/hw/xfree86/parser/Device.c +++ b/hw/xfree86/parser/Device.c @@ -106,6 +106,8 @@ xf86parseDeviceSection(void) switch (token) { case COMMENT: ptr->dev_comment = xf86addComment(ptr->dev_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->dev_comment)) != STRING) diff --git a/hw/xfree86/parser/Extensions.c b/hw/xfree86/parser/Extensions.c index 3a2195901..206c512ef 100644 --- a/hw/xfree86/parser/Extensions.c +++ b/hw/xfree86/parser/Extensions.c @@ -67,6 +67,8 @@ xf86parseExtensionsSection(void) case COMMENT: ptr->extensions_comment = xf86addComment(ptr->extensions_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; default: Error(INVALID_KEYWORD_MSG, xf86tokenString()); diff --git a/hw/xfree86/parser/Files.c b/hw/xfree86/parser/Files.c index c86ac7af2..fba99a864 100644 --- a/hw/xfree86/parser/Files.c +++ b/hw/xfree86/parser/Files.c @@ -89,6 +89,8 @@ xf86parseFilesSection(void) switch (token) { case COMMENT: ptr->file_comment = xf86addComment(ptr->file_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case FONTPATH: if (xf86getSubToken(&(ptr->file_comment)) != STRING) diff --git a/hw/xfree86/parser/Flags.c b/hw/xfree86/parser/Flags.c index d677cf1db..7d35bb7ea 100644 --- a/hw/xfree86/parser/Flags.c +++ b/hw/xfree86/parser/Flags.c @@ -98,6 +98,8 @@ xf86parseFlagsSection(void) switch (token) { case COMMENT: ptr->flg_comment = xf86addComment(ptr->flg_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; /* * these old keywords are turned into standard generic options. @@ -436,18 +438,24 @@ xf86parseOption(XF86OptionPtr head) if ((token = xf86getSubToken(&comment)) == STRING) { option = xf86newOption(name, xf86_lex_val.str); option->opt_comment = comment; - if ((token = xf86getToken(NULL)) == COMMENT) + if ((token = xf86getToken(NULL)) == COMMENT) { option->opt_comment = xf86addComment(option->opt_comment, xf86_lex_val.str); - else + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; + } else { xf86unGetToken(token); + } } else { option = xf86newOption(name, NULL); option->opt_comment = comment; - if (token == COMMENT) + if (token == COMMENT) { option->opt_comment = xf86addComment(option->opt_comment, xf86_lex_val.str); - else + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; + } else { xf86unGetToken(token); + } } old = NULL; diff --git a/hw/xfree86/parser/Input.c b/hw/xfree86/parser/Input.c index 88d19b6b5..6b286ec74 100644 --- a/hw/xfree86/parser/Input.c +++ b/hw/xfree86/parser/Input.c @@ -84,6 +84,8 @@ xf86parseInputSection(void) switch (token) { case COMMENT: ptr->inp_comment = xf86addComment(ptr->inp_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->inp_comment)) != STRING) diff --git a/hw/xfree86/parser/InputClass.c b/hw/xfree86/parser/InputClass.c index 7281659e0..8b9510c0b 100644 --- a/hw/xfree86/parser/InputClass.c +++ b/hw/xfree86/parser/InputClass.c @@ -191,6 +191,8 @@ xf86parseInputClassSection(void) switch (token) { case COMMENT: ptr->comment = xf86addComment(ptr->comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->comment)) != STRING) diff --git a/hw/xfree86/parser/Layout.c b/hw/xfree86/parser/Layout.c index 2c829f4ee..532f318f3 100644 --- a/hw/xfree86/parser/Layout.c +++ b/hw/xfree86/parser/Layout.c @@ -101,6 +101,8 @@ xf86parseLayoutSection(void) switch (token) { case COMMENT: ptr->lay_comment = xf86addComment(ptr->lay_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->lay_comment)) != STRING) diff --git a/hw/xfree86/parser/Module.c b/hw/xfree86/parser/Module.c index 38bf777ed..9a166aff2 100644 --- a/hw/xfree86/parser/Module.c +++ b/hw/xfree86/parser/Module.c @@ -95,6 +95,8 @@ xf86parseModuleSubSection(XF86LoadPtr head, char *name) switch (token) { case COMMENT: ptr->load_comment = xf86addComment(ptr->load_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case OPTION: ptr->load_opt = xf86parseOption(ptr->load_opt); @@ -126,6 +128,8 @@ xf86parseModuleSection(void) switch (token) { case COMMENT: ptr->mod_comment = xf86addComment(ptr->mod_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case LOAD: if (xf86getSubToken(&(ptr->mod_comment)) != STRING) @@ -230,10 +234,13 @@ xf86addNewLoadDirective(XF86LoadPtr head, const char *name, int type, new->ignore = 0; new->list.next = NULL; - if ((token = xf86getToken(NULL)) == COMMENT) + if ((token = xf86getToken(NULL)) == COMMENT) { new->load_comment = xf86addComment(new->load_comment, xf86_lex_val.str); - else + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; + } else { xf86unGetToken(token); + } return ((XF86LoadPtr) xf86addListItem((glp) head, (glp) new)); } diff --git a/hw/xfree86/parser/Monitor.c b/hw/xfree86/parser/Monitor.c index 1d63a441c..056b9f4c0 100644 --- a/hw/xfree86/parser/Monitor.c +++ b/hw/xfree86/parser/Monitor.c @@ -269,6 +269,8 @@ xf86parseVerboseMode(void) switch (token) { case COMMENT: ptr->ml_comment = xf86addComment(ptr->ml_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case DOTCLOCK: if ((token = xf86getSubToken(&(ptr->ml_comment))) != NUMBER) @@ -413,6 +415,8 @@ xf86parseMonitorSection(void) switch (token) { case COMMENT: ptr->mon_comment = xf86addComment(ptr->mon_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->mon_comment)) != STRING) @@ -599,6 +603,8 @@ xf86parseModesSection(void) switch (token) { case COMMENT: ptr->modes_comment = xf86addComment(ptr->modes_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->modes_comment)) != STRING) diff --git a/hw/xfree86/parser/OutputClass.c b/hw/xfree86/parser/OutputClass.c index 01b348fdd..4c5340a03 100644 --- a/hw/xfree86/parser/OutputClass.c +++ b/hw/xfree86/parser/OutputClass.c @@ -102,6 +102,8 @@ xf86parseOutputClassSection(void) switch (token) { case COMMENT: ptr->comment = xf86addComment(ptr->comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->comment)) != STRING) diff --git a/hw/xfree86/parser/Pointer.c b/hw/xfree86/parser/Pointer.c index ff63deb31..85f7b46d5 100644 --- a/hw/xfree86/parser/Pointer.c +++ b/hw/xfree86/parser/Pointer.c @@ -104,6 +104,8 @@ xf86parsePointerSection(void) switch (token) { case COMMENT: ptr->inp_comment = xf86addComment(ptr->inp_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case PROTOCOL: if (xf86getSubToken(&(ptr->inp_comment)) != STRING) diff --git a/hw/xfree86/parser/Screen.c b/hw/xfree86/parser/Screen.c index a831c30cd..28cd03b68 100644 --- a/hw/xfree86/parser/Screen.c +++ b/hw/xfree86/parser/Screen.c @@ -119,6 +119,8 @@ xf86parseDisplaySubSection(void) switch (token) { case COMMENT: ptr->disp_comment = xf86addComment(ptr->disp_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case VIEWPORT: if (xf86getSubToken(&(ptr->disp_comment)) != NUMBER) @@ -256,6 +258,8 @@ xf86parseScreenSection(void) switch (token) { case COMMENT: ptr->scrn_comment = xf86addComment(ptr->scrn_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->scrn_comment)) != STRING) diff --git a/hw/xfree86/parser/Vendor.c b/hw/xfree86/parser/Vendor.c index 50ea68956..456ce8fd0 100644 --- a/hw/xfree86/parser/Vendor.c +++ b/hw/xfree86/parser/Vendor.c @@ -98,6 +98,8 @@ xf86parseVendorSubSection(void) switch (token) { case COMMENT: ptr->vs_comment = xf86addComment(ptr->vs_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->vs_comment))) @@ -151,6 +153,8 @@ xf86parseVendorSection(void) switch (token) { case COMMENT: ptr->vnd_comment = xf86addComment(ptr->vnd_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->vnd_comment)) != STRING) diff --git a/hw/xfree86/parser/Video.c b/hw/xfree86/parser/Video.c index 4e8526f3f..108c8f3ad 100644 --- a/hw/xfree86/parser/Video.c +++ b/hw/xfree86/parser/Video.c @@ -97,6 +97,8 @@ xf86parseVideoPortSubSection(void) switch (token) { case COMMENT: ptr->vp_comment = xf86addComment(ptr->vp_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->vp_comment)) != STRING) @@ -154,6 +156,8 @@ xf86parseVideoAdaptorSection(void) switch (token) { case COMMENT: ptr->va_comment = xf86addComment(ptr->va_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case IDENTIFIER: if (xf86getSubToken(&(ptr->va_comment)) != STRING) diff --git a/hw/xfree86/parser/read.c b/hw/xfree86/parser/read.c index d7e731217..a4600bc06 100644 --- a/hw/xfree86/parser/read.c +++ b/hw/xfree86/parser/read.c @@ -100,6 +100,8 @@ xf86readConfigFile(void) switch (token) { case COMMENT: ptr->conf_comment = xf86addComment(ptr->conf_comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; break; case SECTION: if (xf86getSubToken(&(ptr->conf_comment)) != STRING) { diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c index 1eb35ed73..f4645f9d9 100644 --- a/hw/xfree86/parser/scan.c +++ b/hw/xfree86/parser/scan.c @@ -332,10 +332,10 @@ xf86getToken(const xf86ConfigSymTabRec * tab) } while ((c != '\n') && (c != '\r') && (c != '\0')); configRBuf[i] = '\0'; - /* XXX no private copy. + /* XXX private copy. * Use xf86addComment when setting a comment. */ - xf86_lex_val.str = configRBuf; + xf86_lex_val.str = strdup(configRBuf); return COMMENT; } @@ -448,8 +448,11 @@ xf86getSubToken(char **comment) for (;;) { token = xf86getToken(NULL); if (token == COMMENT) { - if (comment) + if (comment) { *comment = xf86addComment(*comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; + } } else return token; @@ -464,8 +467,11 @@ xf86getSubTokenWithTab(char **comment, const xf86ConfigSymTabRec * tab) for (;;) { token = xf86getToken(tab); if (token == COMMENT) { - if (comment) + if (comment) { *comment = xf86addComment(*comment, xf86_lex_val.str); + free(xf86_lex_val.str); + xf86_lex_val.str = NULL; + } } else return token; |