Bug 94710

Summary: Patch for dangling disp->DriverData pointer in error path
Product: Mesa Reporter: John Wehle <john>
Component: EGLAssignee: mesa-dev
Status: RESOLVED MOVED QA Contact: mesa-dev
Severity: normal    
Priority: medium    
Version: 11.1   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Patch for problem.

Description John Wehle 2016-03-26 02:13:39 UTC
Created attachment 122571 [details]
Patch for problem.

Noticed while looking at a crash the following code pattern:

    dri2_dpy = calloc(1, sizeof *dri2_dpy);

    disp->DriverData = (void *) dri2_dpy;

    ...

    if error goto cleanup

    return success

  cleanup:
    free(dri2_dpy)

    return failure

The problem being that on failure disp->DriverData is left pointing to
memory which has already been freed.  Granted no one should be accessing
it after a failure, however if someone does then random things may occur.
The attached patch sets disp->DriverData to NULL on failure so that more
predictable behavior occurs if someone does happen to accesses it.
Comment 1 Michel Dänzer 2016-03-28 02:09:35 UTC
Please submit patches directly (preferably using git send-email, but definitely generated by git format-patch) to the mesa-dev@lists.freedesktop.org list for review.
Comment 2 GitLab Migration User 2019-09-18 18:07:19 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/155.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.