x11: don't return freed memory from get_clipboard

There is a double free in client/x11/platform.cpp. In get_selection(), in the exit: case with ret_val == -1 and data != NULL, *data_ret (which is returned to the caller) has already been assigned "data", so it will be pointing to freed memory when "data" is XFree'd'. Then in handle_selection_notify, get_selection_free is called on this pointer, which causes a double free. When the length of the read data = 0, set the returned value to NULL, this way subsequent free attempts will be a noop. Fixes RH bug #710461
2025-12-26 22:48:19 +00:00 · 2011-07-07 16:13:27 +02:00 · 2011-07-07 16:13:27 +02:00 · 933ca15ff4
commit 933ca15ff4
parent 40043d3bc2
1 changed files with 6 additions and 2 deletions
--- a/client/x11/platform.cpp
+++ b/client/x11/platform.cpp
@ -2575,8 +2575,12 @@ static int get_selection(XEvent &event, Atom type, Atom prop, int format,
        }
        len = clipboard_data_size;
        *data_ret = clipboard_data;
-    } else
-        *data_ret = data;
+    } else {
+        if (len > 0)
+            *data_ret = data;
+        else
+            *data_ret = NULL;
+    }

    if (len > 0)
        ret_val = len;