[PATCH] drm: fix the usage after free
Jammy Zhou
Jammy.Zhou at amd.com
Sun Aug 23 20:56:13 PDT 2015
From: Mathias Tillman <master.homer at gmail.com>
For readdir_r(), the next directory entry is returned in caller-allocted
buffer (pointered by pent here).
https://bugs.freedesktop.org/show_bug.cgi?id=91704
Signed-off-by: Jammy Zhou <Jammy.Zhou at amd.com>
---
xf86drm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xf86drm.c b/xf86drm.c
index 5e02969..a7cc643 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -2803,11 +2803,12 @@ static char *drmGetMinorNameForFD(int fd, int type)
while (readdir_r(sysdir, pent, &ent) == 0 && ent != NULL) {
if (strncmp(ent->d_name, name, len) == 0) {
+ snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
+ ent->d_name);
+
free(pent);
closedir(sysdir);
- snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
- ent->d_name);
return strdup(dev_name);
}
}
--
1.9.1
More information about the dri-devel
mailing list