Bug 6568 - Null deref in Picture.c
Summary: Null deref in Picture.c
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xrender (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: Keith Packard
QA Contact:
Keywords: patch
Depends on:
Reported: 2006-04-12 19:48 UTC by Kjartan Maraas
Modified: 2011-10-15 17:17 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

proposed patch (706 bytes, patch)
2006-04-12 19:49 UTC, Kjartan Maraas
no flags Details | Splinter Review

Description Kjartan Maraas 2006-04-12 19:48:53 UTC
Coverity report #750:

Event var_compare_op: Added "xr" due to comparison "xr != 0"
Also see events: [var_deref_model]
At conditional (1): "xr != 0" taking false path
At conditional (2): "(r)->numRects == 0" taking true path

189  	    if (xr || !r->numRects)

Event var_deref_model: Variable "xr" tracked as NULL was passed to a function
that dereferences it. [model]
Also see events: [var_compare_op]

190  		_XRenderSetPictureClipRectangles (dpy, info, picture, 0, 0, 
191  						  xr, r->numRects);
192  	    if (xr)
193  		_XFreeTemp(dpy, (char *)xr, total);
194  	    UnlockDisplay(dpy);
195  	    SyncHandle();
196  	}

Attaching a proposed change.
Comment 1 Kjartan Maraas 2006-04-12 19:49:13 UTC
Created attachment 5275 [details] [review]
proposed patch
Comment 2 Kjartan Maraas 2006-11-01 04:51:06 UTC
Still relevant from a quick look at the current git repo
Comment 3 Corbin Simpson 2010-03-27 04:49:57 UTC
Tagging patch; will triage later.
Comment 4 Kjartan Maraas 2010-09-13 12:55:49 UTC
Tried the clang static analyzer on this and it didn't find anything wrong in Picture.c so I'll close this since the Coverity checker isn't available to me any more.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.