Parfait 1.1 reports: Error: Null pointer dereference (CWE 476) Read from null pointer 'dv' at line 244 of Xext/xtest.c in function 'ProcXTestFakeInput'. Null pointer introduced at line 244. which corresponds to: 243 if (nev > 1 && !dev->valuator) { 244 client->errorValue = dv->first_valuator; 245 return BadValue; 246 } Unfortunately, dv is initialized to NULL before this: 159 deviceValuator *dv = NULL; and not set to an actual value until afterwards: 250 for (n = 1; n < nev; n++) { 251 dv = (deviceValuator *) (ev + n); Should the reference at 244 be to the firstValuator variable set just before that error check, or to another value? If firstValuator works, then this would fix it, and prevent further invalid uses: diff --git a/Xext/xtest.c b/Xext/xtest.c index 2abdc7f..6519b9c 100644 --- a/Xext/xtest.c +++ b/Xext/xtest.c @@ -156,7 +156,6 @@ ProcXTestFakeInput(ClientPtr client) DeviceIntPtr dev = NULL; WindowPtr root; Bool extension = FALSE; - deviceValuator *dv = NULL; ValuatorMask mask; int valuators[MAX_VALUATORS] = { 0 }; int numValuators = 0; @@ -241,14 +240,14 @@ ProcXTestFakeInput(ClientPtr client) } if (nev > 1 && !dev->valuator) { - client->errorValue = dv->first_valuator; + client->errorValue = firstValuator; return BadValue; } /* check validity of valuator events */ base = firstValuator; for (n = 1; n < nev; n++) { - dv = (deviceValuator *) (ev + n); + deviceValuator *dv = (deviceValuator *) (ev + n); if (dv->type != DeviceValuator) { client->errorValue = dv->type; return BadValue;
http://patchwork.freedesktop.org/patch/12943/
commit 48bc30c5413a1be0039fa77affcbbb4fe677479f Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Tue Jan 29 10:24:32 2013 +1000 Xext: avoid null-pointer dereference in XTestFakeInput (#59937)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.