GNOME.org
 

[gimp/gimp-2-8] Bug 685445 - color-to-alpha plugin crashes (use-after-free)

commit 19b9ae79dae92e459e434baaf041f3c5b0d960c0
Author: Michael Natterer <mitch gimp org>
Date:   Mon Oct 22 19:03:00 2012 +0200

    Bug 685445 - color-to-alpha plugin crashes (use-after-free)
    
    gimp_tile_put(): make sure we don't free libgimp's tile data twice in
    the non-SHM case. I could never reproduce the bug, but I'm pretty sure
    this fixes it. The change in gimpprotocol.c is just cleanup.
    (cherry picked from commit 0a5059da519ce4831e485ecee37863306c445c73)

 libgimp/gimptile.c         |    3 +++
 libgimpbase/gimpprotocol.c |    7 ++++++-
 2 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/libgimp/gimptile.c b/libgimp/gimptile.c
index ee0a5f4..05cbe81 100644
--- a/libgimp/gimptile.c
+++ b/libgimp/gimptile.c
@@ -272,6 +272,9 @@ gimp_tile_put (GimpTile *tile)
   if (! gp_tile_data_write (_writechannel, &tile_data, NULL))
     gimp_quit ();
 
+  if (! tile_info->use_shm)
+    tile_data.data = NULL;
+
   gimp_wire_destroy (&msg);
 
   gimp_read_expect_msg (&msg, GP_TILE_ACK);
diff --git a/libgimpbase/gimpprotocol.c b/libgimpbase/gimpprotocol.c
index ab0bdc8..4b61bc7 100644
--- a/libgimpbase/gimpprotocol.c
+++ b/libgimpbase/gimpprotocol.c
@@ -833,7 +833,12 @@ _gp_tile_data_destroy (GimpWireMessage *msg)
 
   if  (tile_data)
     {
-      g_free (tile_data->data);
+      if (tile_data->data)
+        {
+          g_free (tile_data->data);
+          tile_data->data = NULL;
+        }
+
       g_slice_free (GPTileData, tile_data);
     }
 }
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]