[PATCH] xfixes: avoid double-free of CursorScreenRec
Ben Skeggs
skeggsb at gmail.com
Thu Jun 10 21:26:57 PDT 2010
From: Ben Skeggs <bskeggs at redhat.com>
Without resetting the private's pointer to NULL, we can end up freeing
the struct twice:
==11188== Invalid free() / delete / delete[]
==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
==11188== by 0x42D8A3: dixFreePrivates (privates.c:217)
==11188== by 0x420CF6: main (main.c:319)
==11188== Address 0x8d884a0 is 0 bytes inside a block of size 24 free'd
==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
==11188== by 0x4996A3: CursorCloseScreen (cursor.c:200)
==11188== by 0x4C051B: AnimCurCloseScreen (animcur.c:125)
==11188== by 0x420CCB: main (main.c:317)
==11188==
Signed-off-by: Ben Skeggs <bskeggs at redhat.com>
---
xfixes/cursor.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 41ba0fb..5c04231 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -190,6 +190,7 @@ CursorCloseScreen (int index, ScreenPtr pScreen)
deleteCursorHideCountsForScreen(pScreen);
ret = (*pScreen->CloseScreen) (index, pScreen);
free(cs);
+ SetCursorScreen(pScreen, NULL);
return ret;
}
--
1.7.0.1
More information about the xorg-devel
mailing list