From 6883ae43eb72fe4e2651c1dca209563323fad2db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20=C5=9Aniatowski?= <kailoran@gmail.com>
Date: Wed, 6 Dec 2017 12:16:17 +0100
Subject: [PATCH] os: Fix strtok/free crash in ComputeLocalClient
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don't reuse cmd for strtok output to ensure the proper pointer is
freed afterwards.

The code incorrectly assumed the pointer returned by strtok(cmd, ":")
would always point to cmd. However, strtok(str, sep) != str if str
begins with sep. This caused an invalid-free crash when running
a program under X with a name beginning with a colon.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
---
 os/access.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/os/access.c b/os/access.c
index 8828e0834..97246160c 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1137,12 +1137,12 @@ ComputeLocalClient(ClientPtr client)
         /* Cut off any colon and whatever comes after it, see
          * https://lists.freedesktop.org/archives/xorg-devel/2015-December/048164.html
          */
-        cmd = strtok(cmd, ":");
+        char *tok = strtok(cmd, ":");
 
 #if !defined(WIN32) || defined(__CYGWIN__)
-        ret = strcmp(basename(cmd), "ssh") != 0;
+        ret = strcmp(basename(tok), "ssh") != 0;
 #else
-        ret = strcmp(cmd, "ssh") != 0;
+        ret = strcmp(tok, "ssh") != 0;
 #endif
 
         free(cmd);