[PATCH] drm: fix the usage after free
Christian König
deathsimple at vodafone.de
Mon Aug 24 00:51:57 PDT 2015
On 24.08.2015 05:56, Jammy Zhou wrote:
> From: Mathias Tillman <master.homer at gmail.com>
>
> For readdir_r(), the next directory entry is returned in caller-allocted
> buffer (pointered by pent here).
>
> https://bugs.freedesktop.org/show_bug.cgi?id=91704
>
> Signed-off-by: Jammy Zhou <Jammy.Zhou at amd.com>
Would be more convenient if Mathias would add his Signed-off-by as well
and send out the patch, cause he is the original author.
Anyway the patch is clearly a nice catch and Reviewed-by: Christian
König <christian.koenig at amd.com>
Regards,
Christian.
> ---
> xf86drm.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/xf86drm.c b/xf86drm.c
> index 5e02969..a7cc643 100644
> --- a/xf86drm.c
> +++ b/xf86drm.c
> @@ -2803,11 +2803,12 @@ static char *drmGetMinorNameForFD(int fd, int type)
>
> while (readdir_r(sysdir, pent, &ent) == 0 && ent != NULL) {
> if (strncmp(ent->d_name, name, len) == 0) {
> + snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
> + ent->d_name);
> +
> free(pent);
> closedir(sysdir);
>
> - snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
> - ent->d_name);
> return strdup(dev_name);
> }
> }
More information about the dri-devel
mailing list