| Summary: | Patch for dangling disp->DriverData pointer in error path | ||
|---|---|---|---|
| Product: | Mesa | Reporter: | John Wehle <john> |
| Component: | EGL | Assignee: | mesa-dev |
| Status: | RESOLVED MOVED | QA Contact: | mesa-dev |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | 11.1 | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | Patch for problem. | ||
Please submit patches directly (preferably using git send-email, but definitely generated by git format-patch) to the mesa-dev@lists.freedesktop.org list for review. -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/155. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 122571 [details] Patch for problem. Noticed while looking at a crash the following code pattern: dri2_dpy = calloc(1, sizeof *dri2_dpy); disp->DriverData = (void *) dri2_dpy; ... if error goto cleanup return success cleanup: free(dri2_dpy) return failure The problem being that on failure disp->DriverData is left pointing to memory which has already been freed. Granted no one should be accessing it after a failure, however if someone does then random things may occur. The attached patch sets disp->DriverData to NULL on failure so that more predictable behavior occurs if someone does happen to accesses it.