[PATCH 01/12] dix: fix double free around allocargbcursor.
Alan Coopersmith
alan.coopersmith at oracle.com
Thu Oct 20 16:23:12 PDT 2011
On 10/20/11 03:44, Dave Airlie wrote:
> From: Dave Airlie<airlied at redhat.com>
>
> coverity scan pointed this out.
>
> In some of its error cases AllocARGBCursor freed the bits passed in,
> because it assigned them to the cursor and called FreeCursorBits, in
> one case it didn't, if it hadn't done the assignment.
>
> This standardises the interface so it always frees in the passed in bits
> on failure, and cleans up the call sites.
Should that be noted in the doxygen comment for that function for future
reference?
> Signed-off-by: Dave Airlie<airlied at redhat.com>
> ---
> dix/cursor.c | 5 ++++-
> dix/dispatch.c | 2 --
> dix/window.c | 5 -----
> render/render.c | 2 --
> 4 files changed, 4 insertions(+), 10 deletions(-)
>
> diff --git a/dix/cursor.c b/dix/cursor.c
> index f29cb11..0e8caf6 100644
> --- a/dix/cursor.c
> +++ b/dix/cursor.c
> @@ -240,8 +240,11 @@ AllocARGBCursor(unsigned char *psrcbits, unsigned char *pmaskbits,
>
> *ppCurs = NULL;
> pCurs = (CursorPtr)calloc(CURSOR_REC_SIZE + CURSOR_BITS_SIZE, 1);
> - if (!pCurs)
> + if (!pCurs) {
> + free(psrcbits);
> + free(pmaskbits);
> return BadAlloc;
> + }
What about argb in #ifdef ARGB_CURSOR? Looks like that would get assigned to
bits->argb, which is also freed by FreeCursorBits().
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list