From 005b26456b10eef7eb5933c1bb5116b5c765bfcc Mon Sep 17 00:00:00 2001 From: Collin Date: Thu, 26 Jun 2025 20:07:17 -0500 Subject: [PATCH 1/3] Update OutputClass.c to Fix Double Free found in CodeQL added the newpath variable and restructured if else loop with a strdup(xf86_lex_val.str); to populate newpath separately to avoid bug --- hw/xfree86/parser/OutputClass.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/hw/xfree86/parser/OutputClass.c b/hw/xfree86/parser/OutputClass.c index cd9a19179..4efc9a766 100644 --- a/hw/xfree86/parser/OutputClass.c +++ b/hw/xfree86/parser/OutputClass.c @@ -123,16 +123,21 @@ xf86parseOutputClassSection(void) ptr->driver = xf86_lex_val.str; break; case MODULEPATH: - if (xf86getSubToken(&(ptr->comment)) != XF86_TOKEN_STRING) + if (xf86getSubToken(&ptr->comment) != XF86_TOKEN_STRING) Error(QUOTE_MSG, "ModulePath"); + { + char *newpath; if (ptr->modulepath) { - char *path; - XNFasprintf(&path, "%s,%s", ptr->modulepath, xf86_lex_val.str); - free(xf86_lex_val.str); - free(ptr->modulepath); - ptr->modulepath = path; - } else { - ptr->modulepath = xf86_lex_val.str; + XNFasprintf(&newpath, "%s,%s", + ptr->modulepath, + xf86_lex_val.str); + free(ptr->modulepath); + } + else { + newpath = strdup(xf86_lex_val.str); + } + free(xf86_lex_val.str); + ptr->modulepath = newpath; } break; case OPTION: From 42b3097a20b1aca68b87f1129ac06950d5b08ffc Mon Sep 17 00:00:00 2001 From: Collin Date: Fri, 27 Jun 2025 04:39:06 -0500 Subject: [PATCH 2/3] Update OutputClass.c made a better one line version of similar double free fix --- hw/xfree86/parser/OutputClass.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/hw/xfree86/parser/OutputClass.c b/hw/xfree86/parser/OutputClass.c index 4efc9a766..8240f0272 100644 --- a/hw/xfree86/parser/OutputClass.c +++ b/hw/xfree86/parser/OutputClass.c @@ -123,21 +123,16 @@ xf86parseOutputClassSection(void) ptr->driver = xf86_lex_val.str; break; case MODULEPATH: - if (xf86getSubToken(&ptr->comment) != XF86_TOKEN_STRING) + if (xf86getSubToken(&(ptr->comment)) != XF86_TOKEN_STRING) Error(QUOTE_MSG, "ModulePath"); - { - char *newpath; if (ptr->modulepath) { - XNFasprintf(&newpath, "%s,%s", - ptr->modulepath, - xf86_lex_val.str); - free(ptr->modulepath); - } - else { - newpath = strdup(xf86_lex_val.str); - } - free(xf86_lex_val.str); - ptr->modulepath = newpath; + char *path; + XNFasprintf(&path, "%s,%s", ptr->modulepath, xf86_lex_val.str); + free(xf86_lex_val.str); + (ptr->modulepath == xf86_lex_val.str) || free(ptr->modulepath); + ptr->modulepath = path; + } else { + ptr->modulepath = xf86_lex_val.str; } break; case OPTION: From fd0ea3d55d3f172f49912db813802fbc043f6d20 Mon Sep 17 00:00:00 2001 From: Collin Date: Fri, 27 Jun 2025 06:52:22 -0500 Subject: [PATCH 3/3] Update OutputClass.c --- hw/xfree86/parser/OutputClass.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/hw/xfree86/parser/OutputClass.c b/hw/xfree86/parser/OutputClass.c index 8240f0272..4efc9a766 100644 --- a/hw/xfree86/parser/OutputClass.c +++ b/hw/xfree86/parser/OutputClass.c @@ -123,16 +123,21 @@ xf86parseOutputClassSection(void) ptr->driver = xf86_lex_val.str; break; case MODULEPATH: - if (xf86getSubToken(&(ptr->comment)) != XF86_TOKEN_STRING) + if (xf86getSubToken(&ptr->comment) != XF86_TOKEN_STRING) Error(QUOTE_MSG, "ModulePath"); + { + char *newpath; if (ptr->modulepath) { - char *path; - XNFasprintf(&path, "%s,%s", ptr->modulepath, xf86_lex_val.str); - free(xf86_lex_val.str); - (ptr->modulepath == xf86_lex_val.str) || free(ptr->modulepath); - ptr->modulepath = path; - } else { - ptr->modulepath = xf86_lex_val.str; + XNFasprintf(&newpath, "%s,%s", + ptr->modulepath, + xf86_lex_val.str); + free(ptr->modulepath); + } + else { + newpath = strdup(xf86_lex_val.str); + } + free(xf86_lex_val.str); + ptr->modulepath = newpath; } break; case OPTION: