[PATCH] render: Fix double-free on ARGB cursor error path
Adam Jackson
ajax at redhat.com
Wed Aug 20 07:40:26 PDT 2014
The gotos deleted by this patch are the only way to get to the bail:
label here. In neither case do we need to free the cursor bits from the
caller; AllocARGBCursor will already do that on the failure path,
likewise AddResource will call the resource delete function on error.
valgrind trace:
Invalid free() / delete / delete[] / realloc()
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x55E95C: ProcRenderCreateCursor (render.c:1643)
by 0x446666: Dispatch (dispatch.c:432)
by 0x44A409: dix_main (main.c:296)
by 0x30D0E21D64: (below main) (libc-start.c:285)
Address 0xa269250 is 0 bytes inside a block of size 96 free'd
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x43AF17: FreeCursorBits (cursor.c:81)
by 0x43B257: AllocARGBCursor (cursor.c:300)
by 0x55E929: ProcRenderCreateCursor (render.c:1626)
by 0x446666: Dispatch (dispatch.c:432)
by 0x44A409: dix_main (main.c:296)
by 0x30D0E21D64: (below main) (libc-start.c:285)
Signed-off-by: Adam Jackson <ajax at redhat.com>
---
render/render.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/render/render.c b/render/render.c
index 9ac4a98..797044d 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1632,17 +1632,12 @@ ProcRenderCreateCursor(ClientPtr client)
GetColor(twocolor[1], 0),
&pCursor, client, stuff->cid);
if (rc != Success)
- goto bail;
- if (!AddResource(stuff->cid, RT_CURSOR, (void *) pCursor)) {
- rc = BadAlloc;
- goto bail;
- }
+ return rc;
+
+ if (!AddResource(stuff->cid, RT_CURSOR, (void *) pCursor))
+ return BadAlloc;
return Success;
- bail:
- free(srcbits);
- free(mskbits);
- return rc;
}
static int
--
1.9.3
More information about the xorg-devel
mailing list