Bug#849026: marked as done (libxi_1.6.1-1+deb7u2 introduced free of unallocated object)

To: Emilio Pozuelo Monfort <pochu@debian.org>

Subject: Bug#849026: marked as done (libxi_1.6.1-1+deb7u2 introduced free of unallocated object)

From: owner@bugs.debian.org (Debian Bug Tracking System)

Date: Thu, 29 Dec 2016 10:51:03 +0000

Message-id: <[🔎] handler.849026.D849026.14830085187151.ackdone@bugs.debian.org>

References: <E1cMYGC-0006JZ-23@fasolo.debian.org> <[🔎] CAAp9V_gAJLJiaXkYf5LKkHb+KfmM5sdM_XnbuUQWqv4=-t7G=g@mail.gmail.com>

Your message dated Thu, 29 Dec 2016 10:48:36 +0000 with message-id <E1cMYGC-0006JZ-23@fasolo.debian.org> and subject line Bug#849026: fixed in libxi 2:1.7.8-2 has caused the Debian Bug report #849026, regarding libxi_1.6.1-1+deb7u2 introduced free of unallocated object to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 849026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849026 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libxi_1.6.1-1+deb7u2 introduced free of unallocated object
From: Thomas Walker <thwalker3@gmail.com>
Date: Wed, 21 Dec 2016 22:07:07 +0000
Message-id: <[🔎] CAAp9V_gAJLJiaXkYf5LKkHb+KfmM5sdM_XnbuUQWqv4=-t7G=g@mail.gmail.com>

Package: libxi

Version: 1.6.1-1+deb7u2

After updating the above package (from deb7u1), various applications (google-chrome-stable notably) begin to crash with messages indicating an attempt to free an invalid pointer. Upon looking into the issue further, I noticed that the following addition to XIQueryDevice.c is flawed:

@@ -103,7 +130,17 @@

SyncHandle();

return info;

+error_loop:

+ while (--i >= 0)

+ {

+ Xfree(info[i].name);

+ Xfree(info[i].classes);

+ }

error:

+ Xfree(info);

+ Xfree(buf);

UnlockDisplay(dpy);

SyncHandle();

There are 3 places that "goto error", two before info and buf are allocated, and one after we've checked and found one (or both) to be NULL. Moving those Xfree()s up a couple of lines into error_loop (where we know they are already allocated) fixes the problem.

--- End Message ---

--- Begin Message ---

To: 849026-close@bugs.debian.org
Subject: Bug#849026: fixed in libxi 2:1.7.8-2
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 29 Dec 2016 10:48:36 +0000
Message-id: <E1cMYGC-0006JZ-23@fasolo.debian.org>

Source: libxi
Source-Version: 2:1.7.8-2

We believe that the bug you reported is fixed in the latest version of
libxi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libxi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 29 Dec 2016 11:22:29 +0100
Source: libxi
Binary: libxi6 libxi6-udeb libxi-dev
Architecture: source
Version: 2:1.7.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
 libxi-dev  - X11 Input extension library (development headers)
 libxi6     - X11 Input extension library
 libxi6-udeb - X11 Input extension library (udeb)
Closes: 849026
Changes:
 libxi (2:1.7.8-2) unstable; urgency=medium
 .
   * Cherry-pick upstream commit 557b6079, don't free an uninitialized
     buffer. Closes: #849026.
Checksums-Sha1:
 1dc19e90cc1765f6f580caa3b80c94df6531ea32 2202 libxi_1.7.8-2.dsc
 3cf75684a7263f41cbd6fbf9e1709202ca9005eb 604295 libxi_1.7.8.orig.tar.gz
 c2b5263a5cb2921100f31c061de37fb84774e5ec 15765 libxi_1.7.8-2.diff.gz
Checksums-Sha256:
 5928022c4607b10b75c95e0b3d6474801895ef12eee3c16c9d5ebf1c366334ab 2202 libxi_1.7.8-2.dsc
 7466d0c626a9cc2e53fd78c811815e82924cd7582236a82401df3d282a9c2889 604295 libxi_1.7.8.orig.tar.gz
 47450993e29758a08d99a6b7c79c4044fb7bf0a5dd8ac5193c4d70555e46815d 15765 libxi_1.7.8-2.diff.gz
Files:
 891888a49e3c591c7999bc494b24ea47 2202 x11 optional libxi_1.7.8-2.dsc
 0b7e861d0591451f89d8f87ff558900c 604295 x11 optional libxi_1.7.8.orig.tar.gz
 54a54c5359d8daf5bd7fcc0005f0e924 15765 x11 optional libxi_1.7.8-2.diff.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlhk5DsACgkQnUbEiOQ2
gwK/iBAAiRE6nCQpibRMBcAhWmvVQIT1Oid1mmXqS+IpoIVMwRac1UaW+Sye9S1w
ecAVKj93vA8xp1LM/j2MUl6YO8Q5gzX73vHPuf5c0todgASOOzfZbWznWFu45Jqc
ZEnKH758YETuAaWIxivLofAetFd/hCRU0xEx41fvkcmY5cpxuzhYRWXYlbQvW+2y
udfLrDE0hiLhlQEfaNxujmtoRZZDBEo/q574LP3TsRrNgmIGFbSSgip0gB9NvAyT
cCLf3jSd3bjv2yecvL77169UtHgR8wQuhVisi+zsAy0JD6Y21gxk9oVRBLzx6Y+u
szLnt02k2InLWlt7TEZkT4MlmypLnvLBjfFozcPeD+fXJe/TQLUn05HGqWtIBNt9
e6LlI6rWtRtyY4sGDQtcLo2SVohMLcR7eSY+4fVNbFydBc/7O13iH/P3/Cd5Tu9X
55ucG+lUElGmSOs5k/x0RR2VeBJ5Oqy3hNrr02GZFbq6q20OkbrJMRShfbK2DcRb
HSHsXKK2ky1GqFgRmMJf1ExPVKuc+GDd45huk4tnFlIpAtNf8n+0WfUGWSB4e/SX
CEV7DluW1s4mw82mXev7/JiFEAqnwBOvTHVy0/zXMnwfn8VZCX48Bqu2z+hIpB2x
N8Dr9KRCZLjQUQn4463KgQ6tGVX/8EqmmfffMx+rDIyGqgPbyAE=
=28zw
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: