You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 lines
3.0 KiB
72 lines
3.0 KiB
5 years ago
|
From 77b8fc885e582a21c0f3f00f9120c948d4fa424b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
|
||
|
|
Date: Tue, 24 Mar 2020 14:26:43 +0900
|
||
|
|
Subject: [PATCH] free_gibson: fix order of freeing memory
|
||
|
|
|
||
|
|
gcc10 -fsanitize=address detects use-after-free on free_gibsonn:
|
||
|
|
=================================================================
|
||
|
|
==49579==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000021c8c at pc 0x00000040da99 bp 0x7ffdb9dfea00 sp 0x7ffdb9dfe9f0
|
||
|
|
READ of size 4 at 0x61d000021c8c thread T0
|
||
|
|
#0 0x40da98 in free_gibson ../../../hacks/glx/gibson.c:1323
|
||
|
|
#1 0x4256af in xlockmore_free ../../hacks/xlockmore.c:724
|
||
|
|
#2 0x40aaeb in run_screenhack_table ../../hacks/screenhack.c:614
|
||
|
|
#3 0x40aaeb in main ../../hacks/screenhack.c:991
|
||
|
|
#4 0x7f6aab9b81a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
|
||
|
|
#5 0x40c09d in _start (/home/mtasaka/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.44/x86_64-pc-linux-gnu/hacks/glx/gibson+0x40c09d)
|
||
|
|
|
||
|
|
0x61d000021c8c is located 12 bytes inside of 2304-byte region [0x61d000021c80,0x61d000022580)
|
||
|
|
freed by thread T0 here:
|
||
|
|
#0 0x7f6aacc4a357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
|
||
|
|
#1 0x40d21a in free_gibson ../../../hacks/glx/gibson.c:1309
|
||
|
|
|
||
|
|
previously allocated by thread T0 here:
|
||
|
|
#0 0x7f6aacc4a887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
|
||
|
|
#1 0x41321c in init_gibson ../../../hacks/glx/gibson.c:1028
|
||
|
|
|
||
|
|
This patch fixes order of freeing memory.
|
||
|
|
---
|
||
|
|
hacks/glx/gibson.c | 17 ++++++++++-------
|
||
|
|
1 file changed, 10 insertions(+), 7 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/hacks/glx/gibson.c b/hacks/glx/gibson.c
|
||
|
|
index 8f99040..05b16a7 100644
|
||
|
|
--- a/hacks/glx/gibson.c
|
||
|
|
+++ b/hacks/glx/gibson.c
|
||
|
|
@@ -1306,7 +1306,6 @@ free_gibson (ModeInfo *mi)
|
||
|
|
if (!bp->glx_context) return;
|
||
|
|
glXMakeCurrent(MI_DISPLAY(mi), MI_WINDOW(mi), *bp->glx_context);
|
||
|
|
|
||
|
|
- if (bp->towers) free (bp->towers);
|
||
|
|
if (bp->rot) free_rotator (bp->rot);
|
||
|
|
if (bp->rot2) free_rotator (bp->rot2);
|
||
|
|
if (glIsList(bp->ground_dlist)) glDeleteLists(bp->ground_dlist, 1);
|
||
|
|
@@ -1316,15 +1315,19 @@ free_gibson (ModeInfo *mi)
|
||
|
|
if (bp->text[i].font_data) free_texture_font (bp->text[i].font_data);
|
||
|
|
if (bp->text[i].text) free (bp->text[i].text);
|
||
|
|
}
|
||
|
|
- for (i = 0; i < bp->ntowers; i++)
|
||
|
|
+ if (bp->towers)
|
||
|
|
{
|
||
|
|
- for (j = 0; j < countof(bp->towers[i].fg_dlists); j++)
|
||
|
|
+ for (i = 0; i < bp->ntowers; i++)
|
||
|
|
{
|
||
|
|
- if (glIsList(bp->towers[i].fg_dlists[j]))
|
||
|
|
- glDeleteLists(bp->towers[i].fg_dlists[j], 1);
|
||
|
|
- if (glIsList(bp->towers[i].bg_dlists[j]))
|
||
|
|
- glDeleteLists(bp->towers[i].bg_dlists[j], 1);
|
||
|
|
+ for (j = 0; j < countof(bp->towers[i].fg_dlists); j++)
|
||
|
|
+ {
|
||
|
|
+ if (glIsList(bp->towers[i].fg_dlists[j]))
|
||
|
|
+ glDeleteLists(bp->towers[i].fg_dlists[j], 1);
|
||
|
|
+ if (glIsList(bp->towers[i].bg_dlists[j]))
|
||
|
|
+ glDeleteLists(bp->towers[i].bg_dlists[j], 1);
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
+ free (bp->towers);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
--
|
||
|
|
2.25.2
|
||
|
|
|