From bce12f2956f23c0ee53f7f6485dba631293a0931 Mon Sep 17 00:00:00 2001 From: Jesse Adkins Date: Wed, 4 Aug 2010 23:39:14 -0700 Subject: [PATCH] xfree86: parser: Never use constant strings for driver names (fixes #17438) When the parser sees the "keyboard" driver, it automatically (and silently) replaces it with the constant string "kbd". Everybody else uses malloc'd memory for the driver name, so input device closure assumes it can use free. Free val.str, so this crash doesn't turn into a memory leak. Whew. Signed-off-by: Jesse Adkins Reviewed-by: Peter Hutterer Signed-off-by: Peter Hutterer --- hw/xfree86/parser/Input.c | 7 +++++-- hw/xfree86/parser/InputClass.c | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/xfree86/parser/Input.c b/hw/xfree86/parser/Input.c index 50869d488..faff0f45f 100644 --- a/hw/xfree86/parser/Input.c +++ b/hw/xfree86/parser/Input.c @@ -59,6 +59,7 @@ #include #endif +#include "os.h" #include "xf86Parser.h" #include "xf86tokens.h" #include "Configint.h" @@ -102,8 +103,10 @@ xf86parseInputSection (void) case DRIVER: if (xf86getSubToken (&(ptr->inp_comment)) != STRING) Error (QUOTE_MSG, "Driver"); - if (strcmp(val.str, "keyboard") == 0) - ptr->inp_driver = "kbd"; + if (strcmp(val.str, "keyboard") == 0) { + ptr->inp_driver = strdup("kbd"); + free(val.str); + } else ptr->inp_driver = val.str; break; diff --git a/hw/xfree86/parser/InputClass.c b/hw/xfree86/parser/InputClass.c index ce611d990..9f88e7ee4 100644 --- a/hw/xfree86/parser/InputClass.c +++ b/hw/xfree86/parser/InputClass.c @@ -111,8 +111,10 @@ xf86parseInputClassSection(void) case DRIVER: if (xf86getSubToken(&(ptr->comment)) != STRING) Error(QUOTE_MSG, "Driver"); - if (strcmp(val.str, "keyboard") == 0) - ptr->driver = "kbd"; + if (strcmp(val.str, "keyboard") == 0) { + ptr->driver = strdup("kbd"); + free(val.str); + } else ptr->driver = val.str; break;