Problem investigating a heap-use-after-free in kwindowsystem

Thomas L├╝bking thomas.luebking at gmail.com
Fri Oct 2 21:34:43 BST 2015


get_stringlist_reply creates the byte arrays QByteArray::fromRawData(), nukes the reply and returns the list which now contains freed memory.


This also was just a problem in Baloo; smells like the ::fromRawArray "constructor" could use a free function pointer to be called when the bytearray is ultimately released.

Until then the functions will have to copy the data and/or the function needs to be "pimped" to allow the client code to nuke the bytearray payload when it's no longer required.

Cheers,
Thomas





More information about the kde-core-devel mailing list