[Mesa-dev] [Bug 94710] Patch for dangling disp->DriverData pointer in error path

Sat Mar 26 02:13:39 UTC 2016

https://bugs.freedesktop.org/show_bug.cgi?id=94710

            Bug ID: 94710
           Summary: Patch for dangling disp->DriverData pointer in error
                    path
           Product: Mesa
           Version: 11.1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: EGL
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: john at feith.com
        QA Contact: mesa-dev at lists.freedesktop.org

Created attachment 122571
  --> https://bugs.freedesktop.org/attachment.cgi?id=122571&action=edit
Patch for problem.

Noticed while looking at a crash the following code pattern:

    dri2_dpy = calloc(1, sizeof *dri2_dpy);

    disp->DriverData = (void *) dri2_dpy;

    ...

    if error goto cleanup

    return success

  cleanup:
    free(dri2_dpy)

    return failure

The problem being that on failure disp->DriverData is left pointing to
memory which has already been freed.  Granted no one should be accessing
it after a failure, however if someone does then random things may occur.
The attached patch sets disp->DriverData to NULL on failure so that more
predictable behavior occurs if someone does happen to accesses it.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20160326/0875973c/attachment.html>