From: Sergi Granell Date: Thu, 18 Feb 2016 22:59:29 +0000 (+0100) Subject: server: Fix shm_create_pool size fail path fd leak X-Git-Tag: 1.10.91~27 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5fe7e7ca78eb8c5435f35ed47b54aabdbdcaadf7;p=platform%2Fupstream%2Fwayland.git server: Fix shm_create_pool size fail path fd leak If the client passed a size <= 0 to shm_create_pool, it would go to err_free, which wouldn't close the fd, and thus leave it opened. We can also move the size check before the struct wl_shm_pool malloc, so in case the client passes a wrong size, it won't do an unnecessary malloc and then free. Reviewed-by: Bryce Harrington Reviewed-by: Pekka Paalanen --- diff --git a/src/wayland-shm.c b/src/wayland-shm.c index a4343a4..81bf657 100644 --- a/src/wayland-shm.c +++ b/src/wayland-shm.c @@ -230,17 +230,17 @@ shm_create_pool(struct wl_client *client, struct wl_resource *resource, { struct wl_shm_pool *pool; - pool = malloc(sizeof *pool); - if (pool == NULL) { - wl_client_post_no_memory(client); - goto err_close; - } - if (size <= 0) { wl_resource_post_error(resource, WL_SHM_ERROR_INVALID_STRIDE, "invalid size (%d)", size); - goto err_free; + goto err_close; + } + + pool = malloc(sizeof *pool); + if (pool == NULL) { + wl_client_post_no_memory(client); + goto err_close; } pool->refcount = 1; @@ -251,7 +251,7 @@ shm_create_pool(struct wl_client *client, struct wl_resource *resource, wl_resource_post_error(resource, WL_SHM_ERROR_INVALID_FD, "failed mmap fd %d", fd); - goto err_close; + goto err_free; } close(fd); @@ -270,10 +270,10 @@ shm_create_pool(struct wl_client *client, struct wl_resource *resource, return; -err_close: - close(fd); err_free: free(pool); +err_close: + close(fd); } static const struct wl_shm_interface shm_interface = {