[PATCH 1/3] randr: Fix crash for NULL swap dispatch procs

Alan Coopersmith alan.coopersmith at oracle.com
Sun Apr 20 12:02:12 PDT 2014


On 04/20/14 11:54 AM, walter harms wrote:
>
>
> Am 19.04.2014 03:29, schrieb Robert Morell:
>> The previous code was checking the wrong table for function pointers.
>>
>> Signed-off-by: Robert Morell <rmorell at nvidia.com>
>> ---
>>   randr/randr.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/randr/randr.c b/randr/randr.c
>> index 3c97714d8e1d..6e3f14b4e704 100644
>> --- a/randr/randr.c
>> +++ b/randr/randr.c
>> @@ -679,7 +679,7 @@ static int
>>   SProcRRDispatch(ClientPtr client)
>>   {
>>       REQUEST(xReq);
>> -    if (stuff->data >= RRNumberRequests || !ProcRandrVector[stuff->data])
>> +    if (stuff->data >= RRNumberRequests || !SProcRandrVector[stuff->data])
>>           return BadRequest;
>>       return (*SProcRandrVector[stuff->data]) (client);
>>   }
>
> hi,
> did you try that ? i am not sure about !SProcRandrVector[stuff->data]. can it really happen
> that certain elements of that array do not exists ?

Absolutely - that's the current case if you look in
http://cgit.freedesktop.org/xorg/xserver/tree/randr/rrsdispatch.c?id=9838b7032ea9792bec21af424c53c07078636d21#n436

The array is declared as having RRNumberRequests (42) entries, but
only the first 31 have values provided, so the remaining 11 are
automatically initialized to NULL by the compiler.

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc


More information about the xorg-devel mailing list