Package: libxi
Version: 1.6.1-1+deb7u2
After updating the above package (from deb7u1), various applications (google-chrome-stable notably) begin to crash with messages indicating an attempt to free an invalid pointer. Upon looking into the issue further, I noticed that the following addition to XIQueryDevice.c is flawed:
@@ -103,7 +130,17 @@
SyncHandle();
return info;
+error_loop:
+ while (--i >= 0)
+ {
+ Xfree(info[i].name);
+ Xfree(info[i].classes);
+ }
error:
+ Xfree(info);
+ Xfree(buf);
UnlockDisplay(dpy);
SyncHandle();
There are 3 places that "goto error", two before info and buf are allocated, and one after we've checked and found one (or both) to be NULL. Moving those Xfree()s up a couple of lines into error_loop (where we know they are already allocated) fixes the problem.