[PATCH] xfixes: avoid double-free of CursorScreenRec
Ben Skeggs
skeggsb at gmail.com
Thu Jun 10 23:44:14 PDT 2010
On Thu, 2010-06-10 at 23:08 -0700, Keith Packard wrote:
> On Fri, 11 Jun 2010 14:26:57 +1000, Ben Skeggs <skeggsb at gmail.com> wrote:
>
> > Without resetting the private's pointer to NULL, we can end up freeing
> > the struct twice:
> >
> > ==11188== Invalid free() / delete / delete[]
> > ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> > ==11188== by 0x42D8A3: dixFreePrivates (privates.c:217)
> > ==11188== by 0x420CF6: main (main.c:319)
> > ==11188== Address 0x8d884a0 is 0 bytes inside a block of size 24 free'd
> > ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325)
> > ==11188== by 0x4996A3: CursorCloseScreen (cursor.c:200)
> > ==11188== by 0x4C051B: AnimCurCloseScreen (animcur.c:125)
> > ==11188== by 0x420CCB: main (main.c:317)
> > ==11188==
>
> This is not a 1.9 server -- the new devPrivates will not free storage in
> this way, so feel free to merge it to 1.8, but there's no need to add
> this to 1.9. Even in 1.8, I'm surprised that the devPrivates code is
> freeing stuff it didn't allocate. That seems quite wrong.
Yes, this shouldn't actually happen. Your mail made me look into this a
big deeper, and I've found out how it's happening, but need a bit more
looking into to find out how to fix.
So, no need to commit this patch.
>
More information about the xorg-devel
mailing list