Tree - rpms/xscreensaver - src.fedoraproject.org

rpms / xscreensaver

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: mtasaka
EPEL:: lkundrak
Files

Commit: 109124f8bb219c0e8602a92a71709eb81b776e45
Blob Blame History Raw
From 506961706f1a86ab1fc9fbda20f8341f912c1025 Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Wed, 24 Mar 2021 01:36:39 +0900
Subject: [PATCH] blank_character_p: fix use-after-free

unicrud in xscreensaver 6.00b2 causes segfault with use-after-free:

=================================================================
==1024582==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011b00 at pc 0x0000004286b0 bp 0x7ffeeff33710 sp 0x7ffeeff33708
READ of size 4 at 0x60d000011b00 thread T0
    #0 0x4286af in blank_character_p ../../../hacks/glx/texfont.c:751
    #1 0x4286af in pick_unichar ../../../hacks/glx/unicrud.c:637
    #2 0x44861f in init_unicrud ../../../hacks/glx/unicrud.c:872
    #3 0x414f1f in xlockmore_do_init ../../../hacks/xlockmore.c:572
    #4 0x415dd0 in xlockmore_check_init ../../../hacks/xlockmore.c:595
    #5 0x415dd0 in xlockmore_check_init ../../../hacks/xlockmore.c:591
    #6 0x415dd0 in xlockmore_event ../../../hacks/xlockmore.c:682
    #7 0x40a1c3 in screenhack_table_handle_events ../../../hacks/screenhack.c:463
    #8 0x40a1c3 in usleep_and_process_events ../../../hacks/screenhack.c:522
    #9 0x40a1c3 in run_screenhack_table ../../../hacks/screenhack.c:582
    #10 0x40a1c3 in main ../../../hacks/screenhack.c:996
    #11 0x7f1b465feb74 in __libc_start_main ../csu/libc-start.c:332
    #12 0x40ba6d in _start (/home/tasaka1/rpmbuild/fedora-specific/TMP/xscreensaver/rawhide/xscreensaver-6.00b2/x86_64-pc-linux-gnu/hacks/glx/unicrud+0x40ba6d)

0x60d000011b00 is located 0 bytes inside of 136-byte region [0x60d000011b00,0x60d000011b88)
freed by thread T0 here:
    #0 0x7f1b47663a67 in free (/lib64/libasan.so.6+0xaea67)
    #1 0x7f1b4745d211 in _XDestroyImage /usr/src/debug/libX11-1.7.0-3.fc34.x86_64/src/ImUtil.c:439

previously allocated by thread T0 here:
    #0 0x7f1b47663f17 in calloc (/lib64/libasan.so.6+0xaef17)
    #1 0x7f1b4745dd06 in XCreateImage /usr/src/debug/libX11-1.7.0-3.fc34.x86_64/src/ImUtil.c:335

SUMMARY: AddressSanitizer: heap-use-after-free ../../../hacks/glx/texfont.c:751 in blank_character_p

Fix this. Fix access to im pointer.
---
 hacks/glx/texfont.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hacks/glx/texfont.c b/hacks/glx/texfont.c
index e4ff657..ac9b4d8 100644
--- a/hacks/glx/texfont.c
+++ b/hacks/glx/texfont.c
@@ -726,8 +726,6 @@ blank_character_p (texture_font_data *data, const char *string)
         xings[j++] = c;
     }
 
-  XDestroyImage (im);
-
   /* xings contains a schematic of how many times the color changed
      on a line, with duplicates removed, e.g.:
 
@@ -751,6 +749,7 @@ blank_character_p (texture_font_data *data, const char *string)
   else if (im->width < 2 || im->height < 2)
     ret = True;
 
+  XDestroyImage (im);
   free (xings);
   return ret;
 }
-- 
2.30.2
rpms / xscreensaver

Source Code

Files
