x11: don't return freed memory from get_clipboard

There is a double free in client/x11/platform.cpp. In get_selection(), in the exit: case with ret_val == -1 and data != NULL, *data_ret (which is returned to the caller) has already been assigned "data", so it will be pointing to freed memory when "data" is XFree'd'. Then in handle_selection_notify, get_selection_free is called on this pointer, which causes a double free. When the length of the read data = 0, set the returned value to NULL, this way subsequent free attempts will be a noop. Fixes RH bug #710461
author: Christophe Fergeau <cfergeau@redhat.com> 2011-07-07 16:13:27 +0200
committer: Christophe Fergeau <cfergeau@redhat.com> 2011-07-18 18:15:39 +0200
commit: 933ca15ff4bebd5346e99aefe0b4ba1ea77985c5 (patch)
tree: 696db8e3184452a4c2d34ecfc5c2244504d03a57 /client
parent: 40043d3bc2878fced8773a653660c428df013eb3 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/client/x11/platform.cpp b/client/x11/platform.cpp
index 910d61e8..fe98eae9 100644
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format,
         }
         len = clipboard_data_size;
         *data_ret = clipboard_data;
-    } else
-        *data_ret = data;
+    } else {
+        if (len > 0)
+            *data_ret = data;
+        else
+            *data_ret = NULL;
+    }
 
     if (len > 0)
         ret_val = len;
author	Christophe Fergeau <cfergeau@redhat.com>	2011-07-07 16:13:27 +0200
committer	Christophe Fergeau <cfergeau@redhat.com>	2011-07-18 18:15:39 +0200
commit	933ca15ff4bebd5346e99aefe0b4ba1ea77985c5 (patch)
tree	696db8e3184452a4c2d34ecfc5c2244504d03a57 /client
parent	40043d3bc2878fced8773a653660c428df013eb3 (diff)