Hi,
On 21/12/16 23:07, Thomas Walker wrote:
> Package: libxi
> Version: 1.6.1-1+deb7u2
>
> After updating the above package (from deb7u1), various applications
> (google-chrome-stable notably) begin to crash with messages indicating an
> attempt to free an invalid pointer. Upon looking into the issue further, I
> noticed that the following addition to XIQueryDevice.c is flawed:
>
> @@ -103,7 +130,17 @@
> SyncHandle();
> return info;
>
> +error_loop:
> + while (--i >= 0)
> + {
> + Xfree(info[i].name);
> + Xfree(info[i].classes);
> + }
> error:
> + Xfree(info);
> + Xfree(buf);
> UnlockDisplay(dpy);
> SyncHandle();
>
> There are 3 places that "goto error", two before info and buf are allocated, and
> one after we've checked and found one (or both) to be NULL. Moving those
> Xfree()s up a couple of lines into error_loop (where we know they are already
> allocated) fixes the problem.
Thanks for your report. I have tried a different approach, initializing the
buffer to NULL, as Xfree(NULL) is safe (as Xfree is just a wrapper around free).
Moving the Xfree()s to error_loop would avoid this, but it could leak memory if
one of the two allocations fail (however unlikely that is).
Can you try the packages at https://people.debian.org/~pochu/lts/libxi/ ?
Thanks,
Emilio