[PATCH 5/5] dix: don't free stranger pointers inside AllocARGBCursor

Tiago Vignatti tiago.vignatti at nokia.com
Mon Apr 4 10:54:35 PDT 2011 

This seems a good convention to follow: if pointers are allocate outside a
given function, then free there as well when a failure occurs.

AllocARGBCursor and its callers were mixing up the freeing of resources and
causing a particular double free inside TileScreenSaver (srcbits and mskbits).

Signed-off-by: Tiago Vignatti <tiago.vignatti at nokia.com>
---
 dix/cursor.c    |    5 +----
 dix/dispatch.c  |   12 +++++++++---
 render/render.c |   12 +++++++++---
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/dix/cursor.c b/dix/cursor.c
index 72a7609..c191c1e 100644
--- a/dix/cursor.c
+++ b/dix/cursor.c
@@ -241,11 +241,8 @@ AllocARGBCursor(unsigned char *psrcbits, unsigned char *pmaskbits,
     *ppCurs = NULL;
     pCurs = (CursorPtr)calloc(CURSOR_REC_SIZE + CURSOR_BITS_SIZE, 1);
     if (!pCurs)
-    {
-	free(psrcbits);
-	free(pmaskbits);
 	return BadAlloc;
-    }
+
     bits = (CursorBitsPtr)((char *)pCurs + CURSOR_REC_SIZE);
     dixInitPrivates(pCurs, pCurs + 1, PRIVATE_CURSOR);
     dixInitPrivates(bits, bits + 1, PRIVATE_CURSOR_BITS)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 601b14a..192c8c3 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2976,11 +2976,17 @@ ProcCreateCursor (ClientPtr client)
 			 &pCursor, client, stuff->cid);
 
     if (rc != Success)
-	return rc;
-    if (!AddResource(stuff->cid, RT_CURSOR, (pointer)pCursor))
-	return BadAlloc;
+	goto bail;
+    if (!AddResource(stuff->cid, RT_CURSOR, (pointer)pCursor)) {
+	rc = BadAlloc;
+	goto bail;
+    }
 
     return Success;
+bail:
+    free(srcbits);
+    free(mskbits);
+    return rc;
 }
 
 int
diff --git a/render/render.c b/render/render.c
index 8ff8ee6..8e58711 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1706,11 +1706,17 @@ ProcRenderCreateCursor (ClientPtr client)
 			 GetColor(twocolor[1], 0),
 			 &pCursor, client, stuff->cid);
     if (rc != Success)
-	return rc;
-    if (!AddResource(stuff->cid, RT_CURSOR, (pointer)pCursor))
-	return BadAlloc;
+	goto bail;
+    if (!AddResource(stuff->cid, RT_CURSOR, (pointer)pCursor)) {
+	rc = BadAlloc;
+	goto bail;
+    }
 
     return Success;
+bail:
+    free(srcbits);
+    free(mskbits);
+    return rc;
 }
 
 static int
-- 
1.7.0.4

More information about the xorg-devel mailing list