[PATCH 01/12] dix: fix double free around allocargbcursor.
Dave Airlie
airlied at gmail.com
Thu Oct 20 03:44:17 PDT 2011
From: Dave Airlie <airlied at redhat.com>
coverity scan pointed this out.
In some of its error cases AllocARGBCursor freed the bits passed in,
because it assigned them to the cursor and called FreeCursorBits, in
one case it didn't, if it hadn't done the assignment.
This standardises the interface so it always frees in the passed in bits
on failure, and cleans up the call sites.
Signed-off-by: Dave Airlie <airlied at redhat.com>
---
dix/cursor.c | 5 ++++-
dix/dispatch.c | 2 --
dix/window.c | 5 -----
render/render.c | 2 --
4 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/dix/cursor.c b/dix/cursor.c
index f29cb11..0e8caf6 100644
--- a/dix/cursor.c
+++ b/dix/cursor.c
@@ -240,8 +240,11 @@ AllocARGBCursor(unsigned char *psrcbits, unsigned char *pmaskbits,
*ppCurs = NULL;
pCurs = (CursorPtr)calloc(CURSOR_REC_SIZE + CURSOR_BITS_SIZE, 1);
- if (!pCurs)
+ if (!pCurs) {
+ free(psrcbits);
+ free(pmaskbits);
return BadAlloc;
+ }
bits = (CursorBitsPtr)((char *)pCurs + CURSOR_REC_SIZE);
dixInitPrivates(pCurs, pCurs + 1, PRIVATE_CURSOR);
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 43cb4d1..41a79c8 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2983,8 +2983,6 @@ ProcCreateCursor (ClientPtr client)
return Success;
bail:
- free(srcbits);
- free(mskbits);
return rc;
}
diff --git a/dix/window.c b/dix/window.c
index 1953f02..1f4fd44 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -3405,11 +3405,6 @@ TileScreenSaver(ScreenPtr pScreen, int kind)
else
cursor = 0;
}
- else
- {
- free(srcbits);
- free(mskbits);
- }
}
pWin = pScreen->screensaver.pWindow =
diff --git a/render/render.c b/render/render.c
index ff75409..16db0fc 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1707,8 +1707,6 @@ ProcRenderCreateCursor (ClientPtr client)
return Success;
bail:
- free(srcbits);
- free(mskbits);
return rc;
}
--
1.7.6.4
More information about the xorg-devel
mailing list