[PATCH] xfixes: avoid double-free of CursorScreenRec
Peter Hutterer
peter.hutterer at who-t.net
Thu Jun 10 21:33:56 PDT 2010
On Fri, Jun 11, 2010 at 02:26:57PM +1000, Ben Skeggs wrote:
> From: Ben Skeggs <bskeggs at redhat.com>
>
> Without resetting the private's pointer to NULL, we can end up freeing
> the struct twice:
>
> ==11188== Invalid free() / delete / delete[]
> ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> ==11188== by 0x42D8A3: dixFreePrivates (privates.c:217)
> ==11188== by 0x420CF6: main (main.c:319)
> ==11188== Address 0x8d884a0 is 0 bytes inside a block of size 24 free'd
> ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> ==11188== by 0x4996A3: CursorCloseScreen (cursor.c:200)
> ==11188== by 0x4C051B: AnimCurCloseScreen (animcur.c:125)
> ==11188== by 0x420CCB: main (main.c:317)
> ==11188==
>
> Signed-off-by: Ben Skeggs <bskeggs at redhat.com>
> ---
> xfixes/cursor.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/xfixes/cursor.c b/xfixes/cursor.c
> index 41ba0fb..5c04231 100644
> --- a/xfixes/cursor.c
> +++ b/xfixes/cursor.c
> @@ -190,6 +190,7 @@ CursorCloseScreen (int index, ScreenPtr pScreen)
> deleteCursorHideCountsForScreen(pScreen);
> ret = (*pScreen->CloseScreen) (index, pScreen);
> free(cs);
> + SetCursorScreen(pScreen, NULL);
> return ret;
> }
>
> --
> 1.7.0.1
funnily enough, this isn't reproducible on all machines but the patch looks
correct to me.
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Cheers,
Peter
More information about the xorg-devel
mailing list