[PATCH] xfixes: avoid double-free of CursorScreenRec
Keith Packard
keithp at keithp.com
Thu Jun 10 23:08:29 PDT 2010
On Fri, 11 Jun 2010 14:26:57 +1000, Ben Skeggs <skeggsb at gmail.com> wrote:
> Without resetting the private's pointer to NULL, we can end up freeing
> the struct twice:
>
> ==11188== Invalid free() / delete / delete[]
> ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> ==11188== by 0x42D8A3: dixFreePrivates (privates.c:217)
> ==11188== by 0x420CF6: main (main.c:319)
> ==11188== Address 0x8d884a0 is 0 bytes inside a block of size 24 free'd
> ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> ==11188== by 0x4996A3: CursorCloseScreen (cursor.c:200)
> ==11188== by 0x4C051B: AnimCurCloseScreen (animcur.c:125)
> ==11188== by 0x420CCB: main (main.c:317)
> ==11188==
This is not a 1.9 server -- the new devPrivates will not free storage in
this way, so feel free to merge it to 1.8, but there's no need to add
this to 1.9. Even in 1.8, I'm surprised that the devPrivates code is
freeing stuff it didn't allocate. That seems quite wrong.
--
keith.packard at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20100610/ee2efa29/attachment-0001.pgp>
More information about the xorg-devel
mailing list