From 506961706f1a86ab1fc9fbda20f8341f912c1025 Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Wed, 24 Mar 2021 01:36:39 +0900
Subject: [PATCH] blank_character_p: fix use-after-free
unicrud in xscreensaver 6.00b2 causes segfault with use-after-free:
=================================================================
==1024582==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011b00 at pc 0x0000004286b0 bp 0x7ffeeff33710 sp 0x7ffeeff33708
READ of size 4 at 0x60d000011b00 thread T0
#0 0x4286af in blank_character_p ../../../hacks/glx/texfont.c:751
#1 0x4286af in pick_unichar ../../../hacks/glx/unicrud.c:637
#2 0x44861f in init_unicrud ../../../hacks/glx/unicrud.c:872
#3 0x414f1f in xlockmore_do_init ../../../hacks/xlockmore.c:572
#4 0x415dd0 in xlockmore_check_init ../../../hacks/xlockmore.c:595
#5 0x415dd0 in xlockmore_check_init ../../../hacks/xlockmore.c:591
#6 0x415dd0 in xlockmore_event ../../../hacks/xlockmore.c:682
#7 0x40a1c3 in screenhack_table_handle_events ../../../hacks/screenhack.c:463
#8 0x40a1c3 in usleep_and_process_events ../../../hacks/screenhack.c:522
#9 0x40a1c3 in run_screenhack_table ../../../hacks/screenhack.c:582
#10 0x40a1c3 in main ../../../hacks/screenhack.c:996
#11 0x7f1b465feb74 in __libc_start_main ../csu/libc-start.c:332
#12 0x40ba6d in _start (/home/tasaka1/rpmbuild/fedora-specific/TMP/xscreensaver/rawhide/xscreensaver-6.00b2/x86_64-pc-linux-gnu/hacks/glx/unicrud+0x40ba6d)
0x60d000011b00 is located 0 bytes inside of 136-byte region [0x60d000011b00,0x60d000011b88)
freed by thread T0 here:
#0 0x7f1b47663a67 in free (/lib64/libasan.so.6+0xaea67)
#1 0x7f1b4745d211 in _XDestroyImage /usr/src/debug/libX11-1.7.0-3.fc34.x86_64/src/ImUtil.c:439
previously allocated by thread T0 here:
#0 0x7f1b47663f17 in calloc (/lib64/libasan.so.6+0xaef17)
#1 0x7f1b4745dd06 in XCreateImage /usr/src/debug/libX11-1.7.0-3.fc34.x86_64/src/ImUtil.c:335
SUMMARY: AddressSanitizer: heap-use-after-free ../../../hacks/glx/texfont.c:751 in blank_character_p
Fix this. Fix access to im pointer.
---
hacks/glx/texfont.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hacks/glx/texfont.c b/hacks/glx/texfont.c
index e4ff657..ac9b4d8 100644
--- a/hacks/glx/texfont.c
+++ b/hacks/glx/texfont.c
@@ -726,8 +726,6 @@ blank_character_p (texture_font_data *data, const char *string)
xings[j++] = c;
}
- XDestroyImage (im);
-
/* xings contains a schematic of how many times the color changed
on a line, with duplicates removed, e.g.:
@@ -751,6 +749,7 @@ blank_character_p (texture_font_data *data, const char *string)
else if (im->width < 2 || im->height < 2)
ret = True;
+ XDestroyImage (im);
free (xings);
return ret;
}
--
2.30.2