From aa15629f17d65d45c02c30b6392e74d752b520b3 Mon Sep 17 00:00:00 2001 From: Dan Robertson Date: Sun, 11 Feb 2018 03:55:45 +0000 Subject: Fix memory errors - read_line: OOB write when a line in /proc/modules contains a terminating character at size position. - handle_view_created: Ensure that the list_t returned by criteria_for is free'd after use - ipc_event_binding_keyboard/ipc_event_binding: Properly handle json_object reference counting and ownership. --- common/readline.c | 2 +- sway/handlers.c | 2 ++ sway/ipc-server.c | 8 ++++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/common/readline.c b/common/readline.c index cc40a2cc..d35ba73e 100644 --- a/common/readline.c +++ b/common/readline.c @@ -36,7 +36,7 @@ char *read_line(FILE *file) { } string[length++] = c; } - if (length + 1 == size) { + if (length + 1 >= size) { char *new_string = realloc(string, length + 1); if (!new_string) { free(string); diff --git a/sway/handlers.c b/sway/handlers.c index d3d5913b..616a01bb 100644 --- a/sway/handlers.c +++ b/sway/handlers.c @@ -484,6 +484,8 @@ static bool handle_view_created(wlc_handle handle) { // refocus in-between command lists set_focused_container(newview); } + // Make sure to free the list_t returned by criteria_for. + list_free(criteria); swayc_t *workspace = swayc_parent_by_type(focused, C_WORKSPACE); if (workspace && workspace->fullscreen) { set_focused_container(workspace->fullscreen); diff --git a/sway/ipc-server.c b/sway/ipc-server.c index e10445cf..6b704e49 100644 --- a/sway/ipc-server.c +++ b/sway/ipc-server.c @@ -1127,7 +1127,7 @@ static void ipc_event_binding(json_object *sb_obj) { json_object *obj = json_object_new_object(); json_object_object_add(obj, "change", json_object_new_string("run")); // sb_obj gets owned by the temporary json_object, too. - json_object_object_add(obj, "binding", json_object_get(sb_obj)); + json_object_object_add(obj, "binding", sb_obj); const char *json_string = json_object_to_json_string(obj); ipc_send_event(json_string, IPC_EVENT_BINDING); @@ -1171,9 +1171,13 @@ void ipc_event_binding_keyboard(struct sway_binding *sb) { keysym = *(uint32_t *)sb->keys->items[i]; if (xkb_keysym_get_name(keysym, buffer, 64) > 0) { json_object *str = json_object_new_string(buffer); - json_object_array_add(symbols, str); if (i == 0) { + // str is owned by both symbol and symbols. Make sure + // to bump the ref count. + json_object_array_add(symbols, json_object_get(str)); symbol = str; + } else { + json_object_array_add(symbols, str); } } } -- cgit v1.2.3