Bug 94710 - Patch for dangling disp->DriverData pointer in error path
Summary: Patch for dangling disp->DriverData pointer in error path
Status: NEW
Alias: None
Product: Mesa
Classification: Unclassified
Component: EGL (show other bugs)
Version: 11.1
Hardware: Other All
: medium normal
Assignee: mesa-dev
QA Contact: mesa-dev
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-26 02:13 UTC by John Wehle
Modified: 2016-03-28 02:09 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Patch for problem. (1.74 KB, text/plain)
2016-03-26 02:13 UTC, John Wehle
Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Wehle 2016-03-26 02:13:39 UTC
Created attachment 122571 [details]
Patch for problem.

Noticed while looking at a crash the following code pattern:

    dri2_dpy = calloc(1, sizeof *dri2_dpy);

    disp->DriverData = (void *) dri2_dpy;

    ...

    if error goto cleanup

    return success

  cleanup:
    free(dri2_dpy)

    return failure

The problem being that on failure disp->DriverData is left pointing to
memory which has already been freed.  Granted no one should be accessing
it after a failure, however if someone does then random things may occur.
The attached patch sets disp->DriverData to NULL on failure so that more
predictable behavior occurs if someone does happen to accesses it.
Comment 1 Michel Dänzer 2016-03-28 02:09:35 UTC
Please submit patches directly (preferably using git send-email, but definitely generated by git format-patch) to the mesa-dev@lists.freedesktop.org list for review.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.