Accessing freed memory in LibICE version 1.0.9 in file "process.c" at line 1177 ,as the relevant pointer is not assigned NULL after freeing.
Submitted by Sachin Kumar Gupta
Assigned to Xorg Project Team
Description
Created attachment 105420 Patch for the reported bug.
Component: LibICE Version : 1.0.9
File where error is: src/process.c Function where error is: ProcessAuthRequired Line of Error: 1177
In reference to code mentioned below:
Here the "iceConn->connect_to_you" in "if conditional" may have been freed before by " IceReadCompleteMessage" which is a macro by internally calling "_IceRead" which calls "_IceFreeConnection", which frees "iceConn->connect_to_you" but does not assigns NULL to it , so even if "iceConn->connect_to_you" has been freed, the if conditional will evaluate TRUE as "iceConn->connect_to_you" has not been assigned NULL and in this case, it is being dereferenced later as:
iceConn->connect_to_you->auth_active = 1;
Code where error exists(LibICE v1.0.9 code):
if (iceConn->connect_to_you)
{
if ((int) message->authIndex >= _IceAuthCount)
{
_IceConnectionError *errorReply =
&(((_IceReply *) (replyWait->reply))->connection_error);
const char *tempstr
= "Received bad authIndex in the AuthRequired message";
char errIndex = (int) message->authIndex;
errorString = strdup(tempstr);
errorReply->type = ICE_CONNECTION_ERROR;
errorReply->error_message = errorString;
_IceErrorBadValue (iceConn, 0,
ICE_AuthRequired, 2, 1, &errIndex);
IceDisposeCompleteMessage (iceConn, authData);
return (1);
}
else
{
authProc = _IcePoAuthProcs[message->authIndex];
iceConn->connect_to_you->auth_active = 1;
}
}File where fix is to be made:"src/shutdown.c" Function where fix is required: _IceFreeConnection
LibICE version 1.0.9 code :
if (iceConn->connect_to_you)
free (iceConn->connect_to_you);Recommended Code:
if (iceConn->connect_to_you)
{
free (iceConn->connect_to_you);
iceConn->connect_to_you = NULL;
}I am attaching a patch for the same "shutdown.patch".
Attachment 105420, "Patch for the reported bug.":
shutdown.patch