[RFC] [PATCH v3] damage: use DamageReportDamage for the initial borderClip damage report
Instead of using DamageDamageRegion for reporting the first (virtual) damage in ProcDamageCreate that covers the borderClip of the drawable window, use a function DamageReportDamage directly (previously called damageReportDamage). This avoids sending all other damage listeners a full window update when a new damage object is created. As this patch makes DamageReportDamage a public interface, the function has been moved into the part of the file that contains all the other public functions. The function has not been otherwise modified. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- damageext/damageext.c |2 +- miext/damage/damage.c | 101 + miext/damage/damage.h |4 ++ 3 files changed, 56 insertions(+), 51 deletions(-) diff --git a/damageext/damageext.c b/damageext/damageext.c index cfef069..6958d89 100644 --- a/damageext/damageext.c +++ b/damageext/damageext.c @@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client) if (pDrawable-type == DRAWABLE_WINDOW) { pRegion = ((WindowPtr) pDrawable)-borderClip; - DamageDamageRegion(pDrawable, pRegion); + DamageReportDamage(pDamageExt-pDamage, pRegion); } return Success; diff --git a/miext/damage/damage.c b/miext/damage/damage.c index a3de044..f13bfbc 100644 --- a/miext/damage/damage.c +++ b/miext/damage/damage.c @@ -121,54 +121,6 @@ getDrawableDamageRef (DrawablePtr pDrawable) dixLookupPrivateAddr((pWindow)-devPrivates, damageWinPrivateKey) static void -damageReportDamage (DamagePtr pDamage, RegionPtr pDamageRegion) -{ -BoxRec tmpBox; -RegionRec tmpRegion; -Bool was_empty; - -switch (pDamage-damageLevel) { -case DamageReportRawRegion: - RegionUnion(pDamage-damage, pDamage-damage, -pDamageRegion); - (*pDamage-damageReport) (pDamage, pDamageRegion, pDamage-closure); - break; -case DamageReportDeltaRegion: - RegionNull(tmpRegion); - RegionSubtract(tmpRegion, pDamageRegion, pDamage-damage); - if (RegionNotEmpty(tmpRegion)) { - RegionUnion(pDamage-damage, pDamage-damage, -pDamageRegion); - (*pDamage-damageReport) (pDamage, tmpRegion, pDamage-closure); - } - RegionUninit(tmpRegion); - break; -case DamageReportBoundingBox: - tmpBox = *RegionExtents(pDamage-damage); - RegionUnion(pDamage-damage, pDamage-damage, -pDamageRegion); - if (!BOX_SAME (tmpBox, RegionExtents(pDamage-damage))) { - (*pDamage-damageReport) (pDamage, pDamage-damage, - pDamage-closure); - } - break; -case DamageReportNonEmpty: - was_empty = !RegionNotEmpty(pDamage-damage); - RegionUnion(pDamage-damage, pDamage-damage, -pDamageRegion); - if (was_empty RegionNotEmpty(pDamage-damage)) { - (*pDamage-damageReport) (pDamage, pDamage-damage, - pDamage-closure); - } - break; -case DamageReportNone: - RegionUnion(pDamage-damage, pDamage-damage, -pDamageRegion); - break; -} -} - -static void damageReportDamagePostRendering (DamagePtr pDamage, RegionPtr pOldDamage, RegionPtr pDamageRegion) { BoxRec tmpBox; @@ -360,7 +312,7 @@ damageRegionAppend (DrawablePtr pDrawable, RegionPtr pRegion, Bool clip, /* Report damage now, if desired. */ if (!pDamage-reportAfter) { if (pDamage-damageReport) - damageReportDamage (pDamage, pDamageRegion); + DamageReportDamage (pDamage, pDamageRegion); else RegionUnion(pDamage-damage, pDamage-damage, pDamageRegion); @@ -393,7 +345,7 @@ damageRegionProcessPending (DrawablePtr pDrawable) if (pDamage-reportAfter) { /* It's possible that there is only interest in postRendering reporting. */ if (pDamage-damageReport) - damageReportDamage (pDamage, pDamage-pendingDamage); + DamageReportDamage (pDamage, pDamage-pendingDamage); else RegionUnion(pDamage-damage, pDamage-damage, pDamage-pendingDamage); @@ -2149,3 +2101,52 @@ DamageGetScreenFuncs (ScreenPtr pScreen) damageScrPriv(pScreen); return pScrPriv-funcs; } + +void +DamageReportDamage (DamagePtr pDamage, RegionPtr pDamageRegion) +{ +BoxRec tmpBox; +RegionRec tmpRegion; +Bool was_empty; + +switch (pDamage-damageLevel) { +case DamageReportRawRegion: + RegionUnion(pDamage-damage, pDamage-damage, +pDamageRegion); + (*pDamage-damageReport) (pDamage, pDamageRegion, pDamage-closure); + break; +case DamageReportDeltaRegion: + RegionNull(tmpRegion); + RegionSubtract(tmpRegion, pDamageRegion, pDamage-damage); + if (RegionNotEmpty
[PATCH] damage: use DamageInitialReport for the initial borderClip damage report
Instead of using the proper DamageDamageRegion for reporting the first (virtual) damage in ProcDamageCreate that covers the borderClip of the drawable window, use a new function DamageInitialReport that uses damageReportDamage to do the work. This avoids sending all other damage listeners a full window update when a new damage object is created. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- damageext/damageext.c |2 +- miext/damage/damage.c | 12 miext/damage/damage.h |5 + 3 files changed, 18 insertions(+), 1 deletions(-) diff --git a/damageext/damageext.c b/damageext/damageext.c index cfef069..12e4bb1 100644 --- a/damageext/damageext.c +++ b/damageext/damageext.c @@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client) if (pDrawable-type == DRAWABLE_WINDOW) { pRegion = ((WindowPtr) pDrawable)-borderClip; - DamageDamageRegion(pDrawable, pRegion); + DamageInitialDamage(pDrawable, pRegion); } return Success; diff --git a/miext/damage/damage.c b/miext/damage/damage.c index a3de044..a698d14 100644 --- a/miext/damage/damage.c +++ b/miext/damage/damage.c @@ -2115,6 +2115,18 @@ DamageRegionRendered (DrawablePtr pDrawable, DamagePtr pDamage, RegionPtr pOldDa damageReportDamagePostRendering (pDamage, pOldDamage, pRegion); } +void +DamageInitialDamage (DrawablePtrpDrawable, +const RegionPtr pRegion) +{ +ScreenPtr pScreen = pDrawable-pScreen; +damageScrPriv(pScreen); +drawableDamage(pDrawable); + +damageReportDamage(pDamage, pRegion); +} + + /* This call is very odd, i'm leaving it intact for API sake, but please don't use it. */ void DamageDamageRegion (DrawablePtrpDrawable, diff --git a/miext/damage/damage.h b/miext/damage/damage.h index 067016f..a3125ea 100644 --- a/miext/damage/damage.h +++ b/miext/damage/damage.h @@ -110,6 +110,11 @@ DamageRegionProcessPending (DrawablePtr pDrawable); extern _X_EXPORT void DamageRegionRendered (DrawablePtr pDrawable, DamagePtr pDamage, RegionPtr pOldDamage, RegionPtr pRegion); +/* Call this when you create a new Damage and you wish to send an initial damage message (to it). */ +extern _X_EXPORT void +DamageInitialDamage (DrawablePtrpDrawable, +const RegionPtr pRegion); + /* Avoid using this call, it only exists for API compatibility. */ extern _X_EXPORT void DamageDamageRegion (DrawablePtrpDrawable, -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 2/2] [libXau] XauGet*AuthByAddr: use XauGetFileName instead of XauFileName
XauGetFileName is a thread-safe variant of XauFileName. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi --- AuGetAddr.c | 12 +++- AuGetBest.c | 12 +++- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/AuGetAddr.c b/AuGetAddr.c index 897d8b5..5d6c8fb 100644 --- a/AuGetAddr.c +++ b/AuGetAddr.c @@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group. #endif #include X11/Xauth.h #include X11/Xos.h +#include stdlib.h static int binaryEqual (_Xconst char *a, _Xconst char *b, int len) @@ -64,16 +65,15 @@ _Xconst char* name) { FILE*auth_file; char*auth_name; -Xauth *entry; +Xauth *entry = NULL; -auth_name = XauFileName (); -if (!auth_name) +if (XauGetFileName (auth_name, NULL) != XAUTH_GETFN_OK) return NULL; if (access (auth_name, R_OK) != 0) /* checks REAL id */ - return NULL; + goto cleanup; auth_file = fopen (auth_name, rb); if (!auth_file) - return NULL; + goto cleanup; for (;;) { entry = XauReadAuth (auth_file); if (!entry) @@ -105,5 +105,7 @@ _Xconst char* name) XauDisposeAuth (entry); } (void) fclose (auth_file); + cleanup: +free(auth_name); return entry; } diff --git a/AuGetBest.c b/AuGetBest.c index 673ee40..096a4c0 100644 --- a/AuGetBest.c +++ b/AuGetBest.c @@ -37,6 +37,7 @@ in this Software without prior written authorization from The Open Group. #define XOS_USE_NO_LOCKING #include X11/Xos_r.h #endif +#include stdlib.h static int binaryEqual (_Xconst char *a, _Xconst char *b, int len) @@ -70,7 +71,7 @@ XauGetBestAuthByAddr ( FILE*auth_file; char*auth_name; Xauth *entry; -Xauth *best; +Xauth *best = NULL; intbest_type; inttype; #ifdef hpux @@ -78,14 +79,13 @@ XauGetBestAuthByAddr ( unsigned short fully_qual_address_length; #endif -auth_name = XauFileName (); -if (!auth_name) +if (XauGetFileName (auth_name, NULL) != XAUTH_GETFN_OK) return NULL; if (access (auth_name, R_OK) != 0) /* checks REAL id */ - return NULL; + goto cleanup; auth_file = fopen (auth_name, rb); if (!auth_file) - return NULL; + goto cleanup; #ifdef hpux if (family == FamilyLocal) { @@ -166,5 +166,7 @@ XauGetBestAuthByAddr ( XauDisposeAuth (entry); } (void) fclose (auth_file); + cleanup: +free(auth_name); return best; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 1/2] [libXau] XauGetFileName: added a thread-safe variant of XauFileName
XauGetFileName has argument char **buffer, which can be used to provide an existing buffer for XauGetFileName to store the result in. *buffer can be NULL, in which case a newly allocated block of memory will be allocated and stored at *buffer. The function also provides means to signal the required buffer length back should the buffer be too small. All different situations are signaled with a return value enum XauthGetFnStatus, where XAUTH_GETFN_OK = 0. XauFileName is reimplemented in terms of XauGetFileName. As a side effect it might reduce the chance of heap corruption. However, this still doesn't mean XauFileName is anywhere near thread safe. LibXau has been internally fixed to use XauGetFileName, so you should be safe if you don't call XauFileName directly. NetBSD getenv_r is also supported. Unfortunately this support has only been tested with a simulation function under Linux, as I don't have access to a NetBSD host, and neither FreeBSD nor Solaris provide this function. Linux getenv is already thread safe (assuming environment is not changed), as it simply returns a pointer inside the environment in process address space. Also Solaris getenv is thread safe according to its documentation. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi --- AuFileName.c| 163 ++- configure.ac|5 ++ include/X11/Xauth.h | 38 man/Xau.man | 57 +- 4 files changed, 234 insertions(+), 29 deletions(-) diff --git a/AuFileName.c b/AuFileName.c index f384f75..753d0d4 100644 --- a/AuFileName.c +++ b/AuFileName.c @@ -30,43 +30,152 @@ in this Software without prior written authorization from The Open Group. #include X11/Xauth.h #include X11/Xos.h #include stdlib.h +#include string.h +#include errno.h + +#ifdef USE_MTSAFE_GETENV +/** + * @brief xau_getenv returns the contents of an environment + * variable. + * + * Previously returned value may be trashed by this call! + * + * @returns If the value is found, the returned string may be + * allocated from heap and must be released with the function + * xau_freeenv. If the value is not found, NULL will be returned. + */ +static const char * +xau_getenv(const char *name) +{ +size_t len= 64; +char *buffer = malloc (len); +intrc = 0; + +while (buffer + (rc = getenv_r (name, buffer, len)) == -1 + errno == ERANGE) { + len *= 2; + free (buffer); + buffer = malloc (len); +} +return rc == 0 ? buffer : NULL; +} + +/** + * @brief xau_freeenv releases a variable stored in heap by + * xau_getenv. This function may be a non-op if the environment + * variables do not need to be copied. + */ +static void +xau_freeenv(char *value) +{ +free (value); +} +#else /* #if USE_MTSAFE_GETENV */ +static const char * +xau_getenv(const char *name) +{ +return getenv ((char*) name); +} + +static void +xau_freeenv(const char *value) +{ +(void) value; +} +#endif char * XauFileName (void) { -const char *slashDotXauthority = /.Xauthority; -char*name; static char*buf; -static int bsize; +static int size; +int tries; + +for (tries = 2; tries 0; --tries) { + switch (XauGetFileName (buf, size)) { + case XAUTH_GETFN_OK: + return buf; + case XAUTH_GETFN_NOT_FOUND: + case XAUTH_GETFN_OUT_OF_MEMORY: + return NULL; + case XAUTH_GETFN_BUFFER_TOO_SMALL: + buf = realloc (buf, size); + } +} + +return NULL; +} + +XauthGetFnStatus +XauGetFileName (char **buf, int *buf_len) +{ +static const char *slashDotXauthority = /.Xauthority; +int size; +/* only one of xauthority and home is non-NULL at any point of the + function to handle the fact that xau_getenv may trash the + contents of its previous return value. */ +char *xauthority = NULL; +char *home = NULL; +const char *relativeXauthority = NULL; +int rc; #ifdef WIN32 -chardir[128]; +char dir[128]; #endif -intsize; -if ((name = getenv (XAUTHORITY))) - return name; -name = getenv (HOME); -if (!name) { +/* if XAUTHORITY is provided, use that. (Still do buffer + handling.) */ +xauthority = xau_getenv (XAUTHORITY); +if (xauthority) { + size = strlen (xauthority) + 1; +} else { + home = xau_getenv (HOME); + if (!home) { #ifdef WIN32 - (void) strcpy (dir, /users/); - if ((name = getenv(USERNAME))) { - (void) strcat (dir, name); - name = dir; - } - if (!name) + char *username = xau_getenv (USERNAME); + if (username) { + snprintf (dir, sizeof(dir), /users/%s, username
[PATCH v2 0/2] [libXau] XauGetFileName: added a thread-safe variant of XauFileName
Well, we decided to take the suggestions into account nevertheles and create a thread-safe variant of XauFileName, that is used internally by libXau and thus reduces the impact to multi-threaded programs that use that function directly instead of the new XauGetFileName. I imagine the number of such programs is zero ;). While the patch may not be as simple as the original (far from it), it should be able to handle environments that don't have file name length limitations. It also supports environments that don't have a thread-safe getenv (that is, when subsequent getenv calls clobber the previous return values), by supporting the getenv_r function, if it is available. XauGetFileName is still easy to use in the basic situation, but it works in fixed size buffer situations as well. Erkki Seppälä (2): XauGetFileName: added a thread-safe variant of XauFileName XauGet*AuthByAddr: use XauGetFileName instead of XauFileName AuFileName.c| 163 ++- AuGetAddr.c | 12 ++-- AuGetBest.c | 12 ++-- configure.ac|5 ++ include/X11/Xauth.h | 38 man/Xau.man | 57 +- 6 files changed, 248 insertions(+), 39 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2] [xorg/xserver] os/client: Prevent rare fd leak in DetermineClientPid
DetermineClientPid didn't close file descriptor if read on /proc/pid/cmdline failed. Adjusted the code to disregard the close return value and perform the return after that, if the read failed or returned EOF. Signed-off-by: Mark Kettenis mark.kette...@xs4all.nl Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi --- os/client.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/os/client.c b/os/client.c index 1311855..b534977 100644 --- a/os/client.c +++ b/os/client.c @@ -140,10 +140,9 @@ void DetermineClientCmd(pid_t pid, const char **cmdname, const char **cmdargs) /* Read the contents of /proc/pid/cmdline. It should contain the * process name and arguments. */ totsize = read(fd, path, sizeof(path)); +close(fd); if (totsize = 0) return; -if (close(fd) 0) -return; path[totsize - 1] = '\0'; /* Contruct the process name without arguments. */ -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[RFC] [PATCH] [xorg/xserver] damage: use DamageExtReport for the initial borderClip damage report
Instead of using the proper DamageDamageRegion for reporting the first (virtual) damage in ProcDamageCreate that covers the borderClip of the drawable window, use DamageExtReport directly. This avoids sending all other damage listeners from receiving a full window update when a new damage object is created. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- damageext/damageext.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/damageext/damageext.c b/damageext/damageext.c index cfef069..7a0a779 100644 --- a/damageext/damageext.c +++ b/damageext/damageext.c @@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client) if (pDrawable-type == DRAWABLE_WINDOW) { pRegion = ((WindowPtr) pDrawable)-borderClip; - DamageDamageRegion(pDrawable, pRegion); + DamageExtReport(NULL /* pDamage not used */, pRegion, pDamageExt); } return Success; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] [xorg/xserver] os/client: Prevent rare fd leak in DetermineClientPid
DetermineClientPid didn't close file descriptor if read on /proc/pid/cmdline failed. Added close to that path of code. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi --- os/client.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/os/client.c b/os/client.c index 1311855..5c05f9b 100644 --- a/os/client.c +++ b/os/client.c @@ -140,8 +140,10 @@ void DetermineClientCmd(pid_t pid, const char **cmdname, const char **cmdargs) /* Read the contents of /proc/pid/cmdline. It should contain the * process name and arguments. */ totsize = read(fd, path, sizeof(path)); -if (totsize = 0) +if (totsize = 0) { +close(fd); return; +} if (close(fd) 0) return; path[totsize - 1] = '\0'; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] [xorg/xserver] config: handle device change event properly
wakeup_handler in udev.c wasn't dealing with udev change events. There are situations when a device can gain its input capabilities after it has been added to the system and therefore the change events must be handled as well. The change is handled as a consecutive device removal and addition. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Stefan Kost stefan.k...@nokia.com --- Stefan, please ask a proper Reported-by tag for the bug from the original reporter. config/udev.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/config/udev.c b/config/udev.c index a2f5710..c120747 100644 --- a/config/udev.c +++ b/config/udev.c @@ -246,6 +246,10 @@ wakeup_handler(pointer data, int err, pointer read_mask) device_added(udev_device); else if (!strcmp(action, remove)) device_removed(udev_device); +else if (!strcmp(action, change)) { +device_removed(udev_device); +device_added(udev_device); +} } udev_device_unref(udev_device); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] [xorg/xserver] mi/misprite: release private record
The record allocated by miSpriteDeviceCursorInitialize was not being released. This patch adds a call to free and resetting the private record to miSpriteDeviceCursorCleanup. Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- mi/misprite.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/mi/misprite.c b/mi/misprite.c index 770951e..0306f62 100644 --- a/mi/misprite.c +++ b/mi/misprite.c @@ -892,6 +892,9 @@ miSpriteDeviceCursorCleanup(DeviceIntPtr pDev, ScreenPtr pScreen) { if (DevHasCursor(pDev)) miDCDeviceCleanup(pDev, pScreen); + +free(dixLookupPrivate(pDev-devPrivates, miSpriteDevPrivatesKey)); +dixSetPrivate(pDev-devPrivates, miSpriteDevPrivatesKey, NULL); } /* -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2] [xorg/xserver] mi/misprite: use memory management provided by dixRegisterPrivateKey
The record allocated by miSpriteDeviceCursorInitialize was not being released. This patch makes misprite use dixRegisterPrivateKey with the record size argument, which handles the memory management issues. miSpriteDeviceCursorInitialize is restructured to initialize pCursorInfo only if miDCDeviceInitialize succeeds. The record itself is zeroed on cleanup to ensure that the assumptions in the code still hold. Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- mi/misprite.c | 41 +++-- 1 files changed, 19 insertions(+), 22 deletions(-) diff --git a/mi/misprite.c b/mi/misprite.c index 770951e..c9d0180 100644 --- a/mi/misprite.c +++ b/mi/misprite.c @@ -308,7 +308,7 @@ miSpriteInitialize (ScreenPtr pScreen, if (!dixRegisterPrivateKey(miSpriteScreenKeyRec, PRIVATE_SCREEN, 0)) return FALSE; -if (!dixRegisterPrivateKey(miSpriteDevPrivatesKeyRec, PRIVATE_DEVICE, 0)) +if (!dixRegisterPrivateKey(miSpriteDevPrivatesKeyRec, PRIVATE_DEVICE, sizeof(miCursorInfoRec))) return FALSE; pScreenPriv = malloc(sizeof (miSpriteScreenRec)); @@ -860,38 +860,35 @@ miSpriteMoveCursor (DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) static Bool miSpriteDeviceCursorInitialize(DeviceIntPtr pDev, ScreenPtr pScreen) { -miCursorInfoPtr pCursorInfo; -int ret = FALSE; - -pCursorInfo = malloc(sizeof(miCursorInfoRec)); -if (!pCursorInfo) -return FALSE; - -pCursorInfo-pCursor = NULL; -pCursorInfo-x = 0; -pCursorInfo-y = 0; -pCursorInfo-isUp = FALSE; -pCursorInfo-shouldBeUp = FALSE; -pCursorInfo-pCacheWin = NullWindow; -pCursorInfo-isInCacheWin = FALSE; -pCursorInfo-checkPixels = TRUE; -pCursorInfo-pScreen = FALSE; +int ret = miDCDeviceInitialize(pDev, pScreen); -ret = miDCDeviceInitialize(pDev, pScreen); -if (!ret) +if (ret) { -free(pCursorInfo); -pCursorInfo = NULL; +miCursorInfoPtr pCursorInfo; +pCursorInfo = dixLookupPrivate(pDev-devPrivates, miSpriteDevPrivatesKey); +pCursorInfo-pCursor = NULL; +pCursorInfo-x = 0; +pCursorInfo-y = 0; +pCursorInfo-isUp = FALSE; +pCursorInfo-shouldBeUp = FALSE; +pCursorInfo-pCacheWin = NullWindow; +pCursorInfo-isInCacheWin = FALSE; +pCursorInfo-checkPixels = TRUE; +pCursorInfo-pScreen = FALSE; } -dixSetPrivate(pDev-devPrivates, miSpriteDevPrivatesKey, pCursorInfo); + return ret; } static void miSpriteDeviceCursorCleanup(DeviceIntPtr pDev, ScreenPtr pScreen) { +miCursorInfoPtr pCursorInfo = dixLookupPrivate(pDev-devPrivates, miSpriteDevPrivatesKey); + if (DevHasCursor(pDev)) miDCDeviceCleanup(pDev, pScreen); + +memset(pCursorInfo, 0, sizeof(miCursorInfoRec)); } /* -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] xfree86/common: Removed a configScreen leak when conf_screen is NULL
configScreen used a dynamically allocated buffer for XF86ConfScreenRec when conf_screen argument was NULL. This pointer was never stored anywhere, nor was it released, so this patch makes the function use automatically allocated storage in that situation. Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- hw/xfree86/common/xf86Config.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c index 28786ba..906d4bd 100644 --- a/hw/xfree86/common/xf86Config.c +++ b/hw/xfree86/common/xf86Config.c @@ -1829,9 +1829,11 @@ configScreen(confScreenPtr screenp, XF86ConfScreenPtr conf_screen, int scrnum, XF86ConfDisplayPtr dispptr; XF86ConfAdaptorLinkPtr conf_adaptor; Bool defaultMonitor = FALSE; +XF86ConfScreenRec local_conf_screen; /* used only if conf_screen is NULL */ if (!conf_screen) { -conf_screen = xnfcalloc(1, sizeof(XF86ConfScreenRec)); +memset(local_conf_screen, 0, sizeof(local_conf_screen)); +conf_screen = local_conf_screen; conf_screen-scrn_identifier = Default Screen Section; xf86Msg(X_DEFAULT, No screen section available. Using defaults.\n); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] xfree86/modes: Fixed memory leak in xf86InitialConfiguration
There were two memory leaks in the function: one was the lack of free for enabled, the other was the full lack of releasing anything when configuration was too small. The first issue was fixed by adding the missing free, the other was addressed by replacing the duplicate memory releasing sequences with one that is gotoed into. Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- hw/xfree86/modes/xf86Crtc.c | 21 - 1 files changed, 8 insertions(+), 13 deletions(-) diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c index 9a5e50a..7eaecdb 100644 --- a/hw/xfree86/modes/xf86Crtc.c +++ b/hw/xfree86/modes/xf86Crtc.c @@ -2353,6 +2353,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow) inti = scrn-scrnIndex; Bool have_outputs = TRUE; Bool ret; +Bool success = FALSE; /* Set up the device options */ config-options = xnfalloc (sizeof (xf86DeviceOptions)); @@ -2411,11 +2412,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow) * Set the position of each output */ if (!xf86InitialOutputPositions (scrn, modes)) -{ - free(crtcs); - free(modes); - return FALSE; -} + goto bailout; /* * Set initial panning of each output @@ -2426,11 +2423,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow) * Assign CRTCs to fit output configuration */ if (have_outputs !xf86PickCrtcs (scrn, crtcs, modes, 0, width, height)) -{ - free(crtcs); - free(modes); - return FALSE; -} + goto bailout; /* XXX override xf86 common frame computation code */ @@ -2507,7 +2500,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow) * Make sure the configuration isn't too small. */ if (width config-minWidth || height config-minHeight) - return FALSE; + goto bailout; /* * Limit the crtc config to virtual[XY] if the driver can't grow the @@ -2530,10 +2523,12 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow) xf86CVTMode(width, height, 60, 0, 0)); } - +success = TRUE; + bailout: free(crtcs); free(modes); -return TRUE; +free(enabled); +return success; } /* -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] [xserver] record: avoid crash when calling RecordFlushReplyBuffer recursively
RecordFlushReplyBuffer can call itself recursively through WriteClient-CallCallbacks-_CallCallbacks-RecordFlushAllContexts when the recording client's buffer cannot be completely emptied in one WriteClient. When a such a recursion occurs, it will not be broken out of which results in segmentation fault when the stack is exhausted. This patch adds a counter (a flag, really) that guards against this situation, to break out of the recursion. One alternative to this change would be to change _CallCallbacks to check the corresponding counter before the callback loop, but that might affect existing behavior, which may be relied upon. Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- record/record.c |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/record/record.c b/record/record.c index 6a93d7a..bea3046 100644 --- a/record/record.c +++ b/record/record.c @@ -77,6 +77,7 @@ typedef struct { char bufCategory; /* category of protocol in replyBuffer */ intnumBufBytes; /* number of bytes in replyBuffer */ char replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */ +intinFlush; /* are we inside RecordFlushReplyBuffer */ } RecordContextRec, *RecordContextPtr; /* RecordMinorOpRec - to hold minor opcode selections for extension requests @@ -245,8 +246,9 @@ RecordFlushReplyBuffer( int len2 ) { -if (!pContext-pRecordingClient || pContext-pRecordingClient-clientGone) +if (!pContext-pRecordingClient || pContext-pRecordingClient-clientGone || pContext-inFlush) return; +++pContext-inFlush; if (pContext-numBufBytes) WriteToClient(pContext-pRecordingClient, pContext-numBufBytes, (char *)pContext-replyBuffer); @@ -255,6 +257,7 @@ RecordFlushReplyBuffer( WriteToClient(pContext-pRecordingClient, len1, (char *)data1); if (len2) WriteToClient(pContext-pRecordingClient, len2, (char *)data2); +--pContext-inFlush; } /* RecordFlushReplyBuffer */ @@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client) pContext-numBufBytes = 0; pContext-pBufClient = NULL; pContext-continuedReply = 0; +pContext-inFlush = 0; err = RecordRegisterClients(pContext, client, (xRecordRegisterClientsReq *)stuff); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 0/2] Last two libx11 static analysis fixes
Here are the final (I hope..) two LibX11 static analysis fixes. Thanks for perseverance! ;) The cmsProp patch was amended compared to the one posted earlier while the other is as-is (except for commit message). Ander Conselvan de Oliveira (1): xcms/LRGB: don't double-free property_return Erkki Seppälä (1): xcms/cmsProp: don't deal with uninitialized values, fail instead src/xcms/LRGB.c|1 - src/xcms/cmsProp.c | 24 +--- 2 files changed, 13 insertions(+), 12 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 1/2] [libX11] xcms/LRGB: don't double-free property_return
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty failed which means that property_return wasn't set so there is no need to free it again. Double free of pointer property_return in call to free Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/xcms/LRGB.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index 750c492..2dca82e 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData( if (CorrectAtom == None || !_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom, format_return, nitems, nbytes_return, property_return)) { - Xfree ((char *)property_return); goto FreeSCCData; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 2/2] [libX11] xcms/cmsProp: don't deal with uninitialized values, fail instead
Properly handle the return value of XGetWindowProperty by considering if after the loop as well. Using freed pointer prop_ret There were numerous things wrong in how this function interacted with XGetWindowProperty. None of the local variables were initialized and remained that way if the call to XGetWindowProperty returned 1 (not Succeed). That doesn't result in after_ret being initialized in which case if it happens to be 0, the loop was exited. In that case format_ret and nitems_ret were uninitialized and the function might return with success (but with uninitialized pointer in prop_ret) or XcmsFailure. As the buffer enlarging code was called only when XGetWindowProperty failed (returned not Success), after_ret would not have been initialized. It would have been initialized only if the XGetWindowProperty has returned Success earlier, but in that case the code fragment would not have been reached. This patch alters the function to return XcmsFailure if the call to XGetWindowProperty fails. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsProp.c | 17 ++--- 1 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c index 856ae84..2826ee7 100644 --- a/src/xcms/cmsProp.c +++ b/src/xcms/cmsProp.c @@ -121,20 +121,23 @@ _XcmsGetProperty( long len = 6516; unsigned long nitems_ret, after_ret; Atom atom_ret; +int xgwp_ret; -while (XGetWindowProperty (pDpy, w, property, 0, len, False, - XA_INTEGER, atom_ret, format_ret, - nitems_ret, after_ret, - (unsigned char **)prop_ret)) { - if (after_ret 0) { +while (True) { + xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False, + XA_INTEGER, atom_ret, format_ret, + nitems_ret, after_ret, + (unsigned char **)prop_ret); + if (xgwp_ret == Success after_ret 0) { len += nitems_ret * (format_ret 3); XFree (prop_ret); } else { break; } } -if (format_ret == 0 || nitems_ret == 0) { - /* the property does not exist or is of an unexpected type */ +if (xgwp_ret != Success || format_ret == 0 || nitems_ret == 0) { + /* the property does not exist or is of an unexpected type or + getting window property failed */ return(XcmsFailure); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Pull request for libx11 reviewed static analysis fixes
are available in the git repository at: git://gitorious.org/erkkise/libx11-fixes.git fixes-reviewed-1 Erkki Seppälä (4): Using freed pointer e Dereferencing possibly NULL str in call to function memcpy (Deref assumed on the basis of 'nonnull' parameter attribute.) Variable entry tracked as NULL was dereferenced. Comparing array against NULL is not useful xkb-server-vmods != NULL src/XlibInt.c |4 ++-- src/xkb/XKB.c |2 +- src/xkb/XKBList.c |2 ++ src/xkb/XKBMisc.c |2 +- 4 files changed, 6 insertions(+), 4 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 3/3] [libx11] Cannot reach dead statement return NULL;
Check for the NULLness of prop-name and prop-value instead of name and value, which was checked earlier anyway. Decided against using strdup due to curious memory allocation functions and the rest of the xkb not using it either. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi diff --git a/src/xkb/XKBGAlloc.c b/src/xkb/XKBGAlloc.c index 17d13be..90ec2f9 100644 --- a/src/xkb/XKBGAlloc.c +++ b/src/xkb/XKBGAlloc.c @@ -696,11 +696,11 @@ register XkbPropertyPtr prop; } prop= geom-properties[geom-num_properties]; prop-name= (char *)_XkbAlloc(strlen(name)+1); -if (!name) +if (!prop-name) return NULL; strcpy(prop-name,name); prop-value= (char *)_XkbAlloc(strlen(value)+1); -if (!value) { +if (!prop-value) { _XkbFree(prop-name); prop-name= NULL; return NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 0/3] Various fixes based on static analysis
Here are revised versions of the fixes that got some review comments on the list. Erkki Seppälä (3): Variable map goes out of scope Using uninitialized value p-modifiers Cannot reach dead statement return NULL; modules/im/ximcp/imThaiFlt.c |9 +++-- src/KeyBind.c|2 +- src/xkb/XKBGAlloc.c |4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 2/3] [libx11] Using uninitialized value p-modifiers
Small fix by using Xcalloc instead of Xmalloc Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi diff --git a/src/KeyBind.c b/src/KeyBind.c index 6d80a02..ac25ce2 100644 --- a/src/KeyBind.c +++ b/src/KeyBind.c @@ -996,7 +996,7 @@ XRebindKeysym ( tmp = dpy-key_bindings; nb = sizeof(KeySym) * nm; -if ((! (p = (struct _XKeytrans *) Xmalloc( sizeof(struct _XKeytrans || +if ((! (p = (struct _XKeytrans *) Xcalloc( 1, sizeof(struct _XKeytrans || ((! (p-string = (char *) Xmalloc( (unsigned) nbytes))) (nbytes 0)) || ((! (p-modifiers = (KeySym *) Xmalloc( (unsigned) nb))) -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 1/3] [libx11] Variable map goes out of scope
Release modifiermap before returning. Reordered code to call XGetModifierMapping after the first return from the function. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi diff --git a/modules/im/ximcp/imThaiFlt.c b/modules/im/ximcp/imThaiFlt.c index e0b3988..e2b0458 100644 --- a/modules/im/ximcp/imThaiFlt.c +++ b/modules/im/ximcp/imThaiFlt.c @@ -1262,15 +1262,20 @@ Private unsigned NumLockMask(Display *d) { int i; -XModifierKeymap *map = XGetModifierMapping (d); +XModifierKeymap *map; KeyCode numlock_keycode = XKeysymToKeycode (d, XK_Num_Lock); if (numlock_keycode == NoSymbol) return 0; +map = XGetModifierMapping (d); + for (i = 0; i 8; i++) { -if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) +if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) { +XFreeModifiermap(map); return 1 i; +} } +XFreeModifiermap(map); return 0; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 00/25] Various fixes based on static analysis - remaining patches
Here are the remaining patches of the libx11 static analysis batch that have not yet received feedback from the list. Next up, pull-request :). Ander Conselvan de Oliveira (6): Double free of pointer property_return in call to free xcms/LRGB: Fix potential resource leak. xcms/LRGB: Add a label for freeing property_return. Using freed pointer prop_ret Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count + 1) * 4U))) Using uninitialized value conv-state in call to function close_converter Erkki Seppälä (19): Variable fs not freed or pointed-to in function get_prop_name Pointer pBuf returned from fgets(buf, 256, stream) is never used Pointer pBuf returned from fgets(buf, 256, stream) is never used Using uninitialized value new Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name without length checking Variable colormap_ret goes out of scope Variable missing_list goes out of scope Variable colormap_ret goes out of scope Variable colormap_ret goes out of scope Variable colormap_ret goes out of scope Variable image goes out of scope Variable prop_name not freed or pointed-to in function strlen Variable table goes out of scope Tracked variable size was passed to a negative sink. Using uninitialized value error.resourceID in call to function _XError Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_after_ret, prop_ret) is not checked a negative value was passed to memcpy Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... modules/im/ximcp/imLcLkup.c |4 modules/im/ximcp/imRm.c |4 modules/im/ximcp/imRmAttr.c |7 +-- modules/im/ximcp/imTrX.c| 33 + modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- src/GetProp.c |2 +- src/ImUtil.c|1 + src/XlibInt.c |8 +--- src/Xrm.c | 10 +- src/xcms/LRGB.c | 25 ++--- src/xcms/cmsColNm.c |4 ++-- src/xcms/cmsProp.c | 11 ++- src/xlibi18n/XDefaultOMIF.c |9 + src/xlibi18n/lcFile.c |6 ++ src/xlibi18n/lcGeneric.c|2 +- 16 files changed, 78 insertions(+), 52 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 03/25] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used
Removed unused assignment Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index c7ad4fd..8518adf 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -651,7 +651,7 @@ ReadColornameDB( * Process lines between START_TOKEN to END_TOKEN */ -while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { /* * Found END_TOKEN so break out of for loop -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 02/25] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used
Removed unused assignment Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index 4164370..c7ad4fd 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -567,7 +567,7 @@ stringSectionSize( return(XcmsFailure); } -while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 01/25] [libx11] Variable fs not freed or pointed-to in function get_prop_name
Fixed a missing call to XFreeFont Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/XDefaultOMIF.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c index bc6b1b9..bb3986a 100644 --- a/src/xlibi18n/XDefaultOMIF.c +++ b/src/xlibi18n/XDefaultOMIF.c @@ -398,7 +398,10 @@ get_font_name( if (fs == NULL) return NULL; prop_name = get_prop_name(dpy, fs); - if (prop_name == NULL) return NULL; + if (prop_name == NULL) { +XFreeFont(dpy, fs); + return NULL; +} name = (char*) Xmalloc(strlen(prop_name) + 1); if (name) -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 07/25] [libx11] Variable missing_list goes out of scope
Fixed memory leak by adding Xfree and initializing missing_list with NULL Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index d62dfdb..ae053c9 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -313,7 +313,7 @@ _XimAttributeToValue( INT16len = data[0]; char*base_name; XFontSet rep = (XFontSet)NULL; - char**missing_list; + char**missing_list = NULL; int missing_count; char*def_string; @@ -347,6 +347,7 @@ _XimAttributeToValue( } Xfree(base_name); + Xfree(missing_list); *((XFontSet *)value) = rep; break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 11/25] [libx11] Variable image goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/ImUtil.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/ImUtil.c b/src/ImUtil.c index cd418d8..3164d43 100644 --- a/src/ImUtil.c +++ b/src/ImUtil.c @@ -372,6 +372,7 @@ XImage *XCreateImage ( if (image_bytes_per_line == 0) { image-bytes_per_line = min_bytes_per_line; } else if (image_bytes_per_line min_bytes_per_line) { + Xfree(image); return NULL; } else { image-bytes_per_line = image_bytes_per_line; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 05/25] [libx11] Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name without length checking
Fixed by using strncpy and explicitly terminating the buffer Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/XlibInt.c |7 --- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index d55c26a..52ccff1 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -1438,9 +1438,10 @@ static int _XPrintDefaultError( ext (ext-codes.major_opcode != event-request_code); ext = ext-next) ; - if (ext) - strcpy(buffer, ext-name); - else + if (ext) { + strncpy(buffer, ext-name, BUFSIZ); + buffer[BUFSIZ - 1] = '\0'; +} else buffer[0] = '\0'; } (void) fprintf(fp, (%s)\n, buffer); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 12/25] [libx11] Variable prop_name not freed or pointed-to in function strlen
Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/XDefaultOMIF.c |4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c index bb3986a..f4f141c 100644 --- a/src/xlibi18n/XDefaultOMIF.c +++ b/src/xlibi18n/XDefaultOMIF.c @@ -403,9 +403,7 @@ get_font_name( return NULL; } - name = (char*) Xmalloc(strlen(prop_name) + 1); - if (name) - strcpy(name, prop_name); + name = prop_name; XFreeFont(dpy, fs); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 08/25] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index ae053c9..5035df5 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -957,6 +957,7 @@ _XimEncodePreeditValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 24/25] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...
Removed superfluous check for NULL target_dir; it is already handled before this code. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index 21a546d..d7e375e 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 06/25] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index b6d1e12..d62dfdb 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -999,7 +999,7 @@ _XimEncodeStatusValue( XIMArg *p) { if (res-xrm_name == XrmStringToQuark(XNStdColormap)) { - XStandardColormap *colormap_ret; + XStandardColormap *colormap_ret = NULL; int count; if (!(XGetRGBColormaps(ic-core.im-core.display, @@ -1007,6 +1007,7 @@ _XimEncodeStatusValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 22/25] [libx11] Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_af
Checked return value of XGetWindowProperty and return false if it fails. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imTrX.c | 33 + 1 files changed, 21 insertions(+), 12 deletions(-) diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c index 47c231e..edcaf08 100644 --- a/modules/im/ximcp/imTrX.c +++ b/modules/im/ximcp/imTrX.c @@ -377,14 +377,19 @@ _XimXGetReadData( *ret_len = (int)nitems; if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, - prop_ret); - XChangeProperty(im-core.display, spec-lib_connect_wid, prop, - XA_STRING, 8, PropModePrepend, prop_ret[length], - (nitems - length)); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, + prop_ret) == Success) { + XChangeProperty(im-core.display, spec-lib_connect_wid, prop, + XA_STRING, 8, PropModePrepend, prop_ret[length], + (nitems - length)); + } else { + return False; + } } } else { (void)memcpy(buf, prop_ret, buf_len); @@ -393,10 +398,14 @@ _XimXGetReadData( if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, prop_ret); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, prop_ret) != Success) { + return False; + } } XChangeProperty(im-core.display, spec-lib_connect_wid, prop, XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 23/25] [libx11] a negative value was passed to memcpy
Fixed by checking for the negative return value of _Xlcwctomb and returning 0/XLookupNone in that case. Unfortunately the other return values for *status don't fit into the error (which appears to indicate some internal error or running out of memory). The other valid status codes are XBufferOverflow, XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of these has a specific meaning attached. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imLcLkup.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c index 80e4cfe..4891176 100644 --- a/modules/im/ximcp/imLcLkup.c +++ b/modules/im/ximcp/imLcLkup.c @@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char *buffer, int bytes, unsigned char pattern = ic-private.local.brl_committed; char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)]; ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern); + if(ret 0) { + if(status) *status = XLookupNone; + return(0); + } if(ret bytes) { if(status) *status = XBufferOverflow; return(ret); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 20/25] [libx11] Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com info_list-watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/XlibInt.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index 52ccff1..3d13747 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -662,6 +662,7 @@ XAddConnectionWatch( UnlockDisplay(dpy); return 0; } + info_list-watch_data = wd_array; wd_array[dpy-watcher_count] = NULL;/* for cleanliness */ } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 09/25] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c index 2e2c31f..fa86979 100644 --- a/modules/im/ximcp/imRm.c +++ b/modules/im/ximcp/imRm.c @@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue( ic-core.focus_window, colormap_ret, count, (Atom)p-value))) return False; + + Xfree(colormap_ret); } return True; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 10/25] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c index fa86979..3d09b81 100644 --- a/modules/im/ximcp/imRm.c +++ b/modules/im/ximcp/imRm.c @@ -2821,6 +2821,8 @@ _XimEncodeLocalPreeditValue( ic-core.focus_window, colormap_ret, count, (Atom)p-value))) return False; + + Xfree(colormap_ret); } return True; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 21/25] [libx11] Using uninitialized value conv-state in call to function close_converter
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Fixed by zero'ing conv on allocation. Then close_converter works properly. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c index 5860a79..12a4861 100644 --- a/modules/lc/def/lcDefConv.c +++ b/modules/lc/def/lcDefConv.c @@ -577,7 +577,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c index 074a8d7..baac73a 100644 --- a/modules/lc/gen/lcGenConv.c +++ b/modules/lc/gen/lcGenConv.c @@ -2650,7 +2650,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 04/25] [libx11] Using uninitialized value new
Zero-initialized new Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcGeneric.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c index 69ea97d..688a4cf 100644 --- a/src/xlibi18n/lcGeneric.c +++ b/src/xlibi18n/lcGeneric.c @@ -428,7 +428,7 @@ read_charset_define( char name[BUFSIZ]; XlcCharSet charsetd; char **value; -int num, new; +int num, new = 0; XlcSide side = XlcUnknown; char *tmp; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 13/25] [libx11] Variable table goes out of scope
The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 21f0af3..3e68c37 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -842,8 +842,10 @@ static void PutEntry( nprev = NodeBuckets(table); \ } else { \ table-leaf = 1; \ - if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \ + if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\ + Xfree(table); \ return; \ +} \ ((LTable)table)-buckets = (VEntry *)nprev; \ } \ *nprev = (NTable)NULL; \ -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 17/25] [libx11] xcms/LRGB: Add a label for freeing property_return.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/LRGB.c | 26 ++ 1 files changed, 10 insertions(+), 16 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index c1606be..4853483 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 9) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 3; break; @@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 7) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 1; break; @@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 6) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 0; break; default: - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } /* @@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData( } } } else { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } #ifdef ALLDEBUG @@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData( #endif /* ALLDEBUG */ } -Xfree ((char *)property_return); - /* Free the old memory and use the new structure created. */ LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData); @@ -820,6 +811,9 @@ FreeRedTblElements: FreeRedTbl: Xfree((char *)pScreenData-pRedTbl); +Free_property_return: +Xfree ((char *)property_return); + FreeSCCData: Xfree((char *)pScreenData); pPerScrnInfo-state = XcmsInitNone; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 16/25] [libx11] xcms/LRGB: Fix potential resource leak.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com property_return was not free'd if the allocation of pRedTbl failed. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/LRGB.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index d9168bd..c1606be 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, @@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 14/25] [libx11] Tracked variable size was passed to a negative sink.
Fixed the handling of the extremely unlikely situation of fstat failing Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 3e68c37..fbc8ad2 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -1596,6 +1596,12 @@ ReadInFile(_Xconst char *filename) */ GetSizeOfFile(fd, size); +/* There might have been a problem trying to stat a file */ +if (size == -1) { + close (fd); + return (char *)NULL; +} + if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */ close(fd); return (char *)NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 25/25] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...
Removed superfluous check for NULL target_dir; it is already handled before this code. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index d7e375e..18756c1 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 19/25] [libx11] Using freed pointer prop_ret
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com In the case were a first call to XGetWindowProperty succeeds but the initial value of len is smaller than the total length of the property, prop_return is freed and another call XGWP is made. If that subsequent call fails, unless the subsequent if (format_ret == 0 || nitems_ret == 0) ends up returning XcmsFailure, the freed value of prop_ret from the previous call to XGWP will be returned. This patches changes the funcion to behavior to return XcmsFailure if the call do XGetWindowProperty fails. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsProp.c | 11 ++- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c index 856ae84..9294cc7 100644 --- a/src/xcms/cmsProp.c +++ b/src/xcms/cmsProp.c @@ -121,11 +121,12 @@ _XcmsGetProperty( long len = 6516; unsigned long nitems_ret, after_ret; Atom atom_ret; +int xgwp_ret; -while (XGetWindowProperty (pDpy, w, property, 0, len, False, - XA_INTEGER, atom_ret, format_ret, - nitems_ret, after_ret, - (unsigned char **)prop_ret)) { +while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False, + XA_INTEGER, atom_ret, format_ret, + nitems_ret, after_ret, + (unsigned char **)prop_ret))) { if (after_ret 0) { len += nitems_ret * (format_ret 3); XFree (prop_ret); @@ -133,7 +134,7 @@ _XcmsGetProperty( break; } } -if (format_ret == 0 || nitems_ret == 0) { +if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) { /* the property does not exist or is of an unexpected type */ return(XcmsFailure); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 00/25] Various fixes based on static analysis - remaining patches
Here are the remaining patches of the libx11 static analysis batch that have not yet received feedback from the list. This batch has the comments fixed so that the actual change is first, while the diagnosis from the tool follows, thus making git shortlog more useful. Next up, pull-request :). Ander Conselvan de Oliveira (6): property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty faile property_return was not free'd if the allocation of pRedTbl failed. The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were sev Properly handle the return value of XGetWindowProperty by considering if after the loop as well. info_list-watch_data was being reallocated, but the return value of the reallocation was stored only into a loc Fixed by zero'ing conv on allocation. Then close_converter works properly. Erkki Seppälä (19): Fixed a missing call to XFreeFont Removed unused assignment Removed unused assignment Zero-initialized new Fixed by using strncpy and explicitly terminating the buffer Fixed memory leak by adding Xfree Fixed memory leak by adding Xfree and initializing missing_list with NULL Fixed memory leak by adding Xfree Fixed memory leak by adding Xfree Fixed memory leak by adding Xfree Fixed memory leak by adding Xfree Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of g The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfr Fixed the handling of the extremely unlikely situation of fstat failing Initialize local variable Checked return value of XGetWindowProperty and return false if it fails. Fixed by negative value to memcpy by checking for the negative return value of _Xlcwctomb and returning 0/XLooku Removed superfluous check for NULL target_dir; it is already handled before this code. Removed superfluous check for NULL target_dir; it is already handled before this code. modules/im/ximcp/imLcLkup.c |4 modules/im/ximcp/imRm.c |4 modules/im/ximcp/imRmAttr.c |7 +-- modules/im/ximcp/imTrX.c| 33 + modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- src/GetProp.c |2 +- src/ImUtil.c|1 + src/XlibInt.c |8 +--- src/Xrm.c | 10 +- src/xcms/LRGB.c | 25 ++--- src/xcms/cmsColNm.c |4 ++-- src/xcms/cmsProp.c | 11 ++- src/xlibi18n/XDefaultOMIF.c |9 + src/xlibi18n/lcFile.c |6 ++ src/xlibi18n/lcGeneric.c|2 +- 16 files changed, 78 insertions(+), 52 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 03/25] [libx11] Removed unused assignment
Pointer pBuf returned from fgets(buf, 256, stream) is never used Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index c7ad4fd..8518adf 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -651,7 +651,7 @@ ReadColornameDB( * Process lines between START_TOKEN to END_TOKEN */ -while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { /* * Found END_TOKEN so break out of for loop -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 02/25] [libx11] Removed unused assignment
Pointer pBuf returned from fgets(buf, 256, stream) is never used Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index 4164370..c7ad4fd 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -567,7 +567,7 @@ stringSectionSize( return(XcmsFailure); } -while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 13/25] [libx11] The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree.
Variable table goes out of scope Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 21f0af3..3e68c37 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -842,8 +842,10 @@ static void PutEntry( nprev = NodeBuckets(table); \ } else { \ table-leaf = 1; \ - if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \ + if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\ + Xfree(table); \ return; \ +} \ ((LTable)table)-buckets = (VEntry *)nprev; \ } \ *nprev = (NTable)NULL; \ -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 01/25] [libx11] Fixed a missing call to XFreeFont
Variable fs not freed or pointed-to in function get_prop_name Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/XDefaultOMIF.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c index bc6b1b9..bb3986a 100644 --- a/src/xlibi18n/XDefaultOMIF.c +++ b/src/xlibi18n/XDefaultOMIF.c @@ -398,7 +398,10 @@ get_font_name( if (fs == NULL) return NULL; prop_name = get_prop_name(dpy, fs); - if (prop_name == NULL) return NULL; + if (prop_name == NULL) { +XFreeFont(dpy, fs); + return NULL; +} name = (char*) Xmalloc(strlen(prop_name) + 1); if (name) -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 14/25] [libx11] Fixed the handling of the extremely unlikely situation of fstat failing
Tracked variable size was passed to a negative sink. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 3e68c37..fbc8ad2 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -1596,6 +1596,12 @@ ReadInFile(_Xconst char *filename) */ GetSizeOfFile(fd, size); +/* There might have been a problem trying to stat a file */ +if (size == -1) { + close (fd); + return (char *)NULL; +} + if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */ close(fd); return (char *)NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 09/25] [libx11] Fixed memory leak by adding Xfree
Variable colormap_ret goes out of scope Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c index 2e2c31f..fa86979 100644 --- a/modules/im/ximcp/imRm.c +++ b/modules/im/ximcp/imRm.c @@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue( ic-core.focus_window, colormap_ret, count, (Atom)p-value))) return False; + + Xfree(colormap_ret); } return True; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 15/25] [libx11] property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty failed which means that property_return wasn't set so there is no need
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Double free of pointer property_return in call to free Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/LRGB.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index 2f7a4cc..d9168bd 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData( if (CorrectAtom == None || !_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom, format_return, nitems, nbytes_return, property_return)) { - Xfree ((char *)property_return); goto FreeSCCData; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 08/25] [libx11] Fixed memory leak by adding Xfree
Variable colormap_ret goes out of scope Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index ae053c9..5035df5 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -957,6 +957,7 @@ _XimEncodePreeditValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 11/25] [libx11] Fixed memory leak by adding Xfree
Variable image goes out of scope Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/ImUtil.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/ImUtil.c b/src/ImUtil.c index cd418d8..3164d43 100644 --- a/src/ImUtil.c +++ b/src/ImUtil.c @@ -372,6 +372,7 @@ XImage *XCreateImage ( if (image_bytes_per_line == 0) { image-bytes_per_line = min_bytes_per_line; } else if (image_bytes_per_line min_bytes_per_line) { + Xfree(image); return NULL; } else { image-bytes_per_line = image_bytes_per_line; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 06/25] [libx11] Fixed memory leak by adding Xfree
Variable colormap_ret goes out of scope Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index b6d1e12..d62dfdb 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -999,7 +999,7 @@ _XimEncodeStatusValue( XIMArg *p) { if (res-xrm_name == XrmStringToQuark(XNStdColormap)) { - XStandardColormap *colormap_ret; + XStandardColormap *colormap_ret = NULL; int count; if (!(XGetRGBColormaps(ic-core.im-core.display, @@ -1007,6 +1007,7 @@ _XimEncodeStatusValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 05/25] [libx11] Fixed by using strncpy and explicitly terminating the buffer
Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name without length checking Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/XlibInt.c |7 --- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index d55c26a..52ccff1 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -1438,9 +1438,10 @@ static int _XPrintDefaultError( ext (ext-codes.major_opcode != event-request_code); ext = ext-next) ; - if (ext) - strcpy(buffer, ext-name); - else + if (ext) { + strncpy(buffer, ext-name, BUFSIZ); + buffer[BUFSIZ - 1] = '\0'; +} else buffer[0] = '\0'; } (void) fprintf(fp, (%s)\n, buffer); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 21/25] [libx11] Fixed by zero'ing conv on allocation. Then close_converter works properly.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Using uninitialized value conv-state in call to function close_converter Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c index 5860a79..12a4861 100644 --- a/modules/lc/def/lcDefConv.c +++ b/modules/lc/def/lcDefConv.c @@ -577,7 +577,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c index 074a8d7..baac73a 100644 --- a/modules/lc/gen/lcGenConv.c +++ b/modules/lc/gen/lcGenConv.c @@ -2650,7 +2650,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 18/25] [libx11] Initialize local variable
Using uninitialized value error.resourceID in call to function _XError Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/GetProp.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/GetProp.c b/src/GetProp.c index a80c19c..5d6e0b8 100644 --- a/src/GetProp.c +++ b/src/GetProp.c @@ -46,7 +46,7 @@ XGetWindowProperty( { xGetPropertyReply reply; register xGetPropertyReq *req; -xError error; +xError error = {0}; LockDisplay(dpy); GetReq (GetProperty, req); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 04/25] [libx11] Zero-initialized new
Using uninitialized value new Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcGeneric.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c index 69ea97d..688a4cf 100644 --- a/src/xlibi18n/lcGeneric.c +++ b/src/xlibi18n/lcGeneric.c @@ -428,7 +428,7 @@ read_charset_define( char name[BUFSIZ]; XlcCharSet charsetd; char **value; -int num, new; +int num, new = 0; XlcSide side = XlcUnknown; char *tmp; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 20/25] [libx11] info_list-watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count + 1) * 4U))) Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/XlibInt.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index 52ccff1..3d13747 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -662,6 +662,7 @@ XAddConnectionWatch( UnlockDisplay(dpy); return 0; } + info_list-watch_data = wd_array; wd_array[dpy-watcher_count] = NULL;/* for cleanliness */ } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 22/25] [libx11] Checked return value of XGetWindowProperty and return false if it fails.
Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_after_ret, prop_ret) is not checked Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imTrX.c | 33 + 1 files changed, 21 insertions(+), 12 deletions(-) diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c index 47c231e..edcaf08 100644 --- a/modules/im/ximcp/imTrX.c +++ b/modules/im/ximcp/imTrX.c @@ -377,14 +377,19 @@ _XimXGetReadData( *ret_len = (int)nitems; if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, - prop_ret); - XChangeProperty(im-core.display, spec-lib_connect_wid, prop, - XA_STRING, 8, PropModePrepend, prop_ret[length], - (nitems - length)); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, + prop_ret) == Success) { + XChangeProperty(im-core.display, spec-lib_connect_wid, prop, + XA_STRING, 8, PropModePrepend, prop_ret[length], + (nitems - length)); + } else { + return False; + } } } else { (void)memcpy(buf, prop_ret, buf_len); @@ -393,10 +398,14 @@ _XimXGetReadData( if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, prop_ret); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, prop_ret) != Success) { + return False; + } } XChangeProperty(im-core.display, spec-lib_connect_wid, prop, XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 17/25] [libx11] The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com xcms/LRGB: Add a label for freeing property_return. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/LRGB.c | 26 ++ 1 files changed, 10 insertions(+), 16 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index c1606be..4853483 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 9) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 3; break; @@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 7) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 1; break; @@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 6) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 0; break; default: - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } /* @@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData( } } } else { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } #ifdef ALLDEBUG @@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData( #endif /* ALLDEBUG */ } -Xfree ((char *)property_return); - /* Free the old memory and use the new structure created. */ LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData); @@ -820,6 +811,9 @@ FreeRedTblElements: FreeRedTbl: Xfree((char *)pScreenData-pRedTbl); +Free_property_return: +Xfree ((char *)property_return); + FreeSCCData: Xfree((char *)pScreenData); pPerScrnInfo-state = XcmsInitNone; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 16/25] [libx11] property_return was not free'd if the allocation of pRedTbl failed.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com xcms/LRGB: Fix potential resource leak. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/LRGB.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index d9168bd..c1606be 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, @@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 12/25] [libx11] Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name.
Variable prop_name not freed or pointed-to in function strlen Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/XDefaultOMIF.c |4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c index bb3986a..f4f141c 100644 --- a/src/xlibi18n/XDefaultOMIF.c +++ b/src/xlibi18n/XDefaultOMIF.c @@ -403,9 +403,7 @@ get_font_name( return NULL; } - name = (char*) Xmalloc(strlen(prop_name) + 1); - if (name) - strcpy(name, prop_name); + name = prop_name; XFreeFont(dpy, fs); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 25/25] [libx11] Removed superfluous check for NULL target_dir; it is already handled before this code.
Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index d7e375e..18756c1 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 24/25] [libx11] Removed superfluous check for NULL target_dir; it is already handled before this code.
Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index 21a546d..d7e375e 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 23/25] [libx11] Fixed by negative value to memcpy by checking for the negative return value of _Xlcwctomb and returning 0/XLookupNone in that case.
a negative value was passed to memcpy Unfortunately the other return values for *status don't fit into the error (which appears to indicate some internal error or running out of memory). The other valid status codes are XBufferOverflow, XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of these has a specific meaning attached. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imLcLkup.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c index 80e4cfe..4891176 100644 --- a/modules/im/ximcp/imLcLkup.c +++ b/modules/im/ximcp/imLcLkup.c @@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char *buffer, int bytes, unsigned char pattern = ic-private.local.brl_committed; char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)]; ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern); + if(ret 0) { + if(status) *status = XLookupNone; + return(0); + } if(ret bytes) { if(status) *status = XBufferOverflow; return(ret); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH v2 07/25] [libx11] Fixed memory leak by adding Xfree and initializing missing_list with NULL
Variable missing_list goes out of scope Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index d62dfdb..ae053c9 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -313,7 +313,7 @@ _XimAttributeToValue( INT16len = data[0]; char*base_name; XFontSet rep = (XFontSet)NULL; - char**missing_list; + char**missing_list = NULL; int missing_count; char*def_string; @@ -347,6 +347,7 @@ _XimAttributeToValue( } Xfree(base_name); + Xfree(missing_list); *((XFontSet *)value) = rep; break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 11/32] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index ae053c9..5035df5 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -957,6 +957,7 @@ _XimEncodePreeditValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 19/32] [libx11] Variable entry tracked as NULL was dereferenced.
Check entry for non-nullness before dereferencing it Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xkb/XKB.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xkb/XKB.c b/src/xkb/XKB.c index 42dba99..f926cb9 100644 --- a/src/xkb/XKB.c +++ b/src/xkb/XKB.c @@ -462,7 +462,7 @@ XkbKTMapEntryPtrentry = NULL; if (map_rtrn!=NULL) { bzero(map_rtrn,type-mods.mask+1); for (i=0;itype-map_count;i++) { - if (entry-active) { + if (entry entry-active) { map_rtrn[type-map[i].mods.mask]= type-map[i].level; } } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 20/32] [libx11] Double free of pointer property_return in call to free
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty failed which means that property_return wasn't set so there is no need to free it again. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/xcms/LRGB.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index 2f7a4cc..d9168bd 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData( if (CorrectAtom == None || !_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom, format_return, nitems, nbytes_return, property_return)) { - Xfree ((char *)property_return); goto FreeSCCData; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 16/32] [libx11] Variable table goes out of scope
The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 21f0af3..3e68c37 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -842,8 +842,10 @@ static void PutEntry( nprev = NodeBuckets(table); \ } else { \ table-leaf = 1; \ - if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \ + if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\ + Xfree(table); \ return; \ +} \ ((LTable)table)-buckets = (VEntry *)nprev; \ } \ *nprev = (NTable)NULL; \ -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 23/32] [libx11] Using uninitialized value error.resourceID in call to function _XError
Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/GetProp.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/GetProp.c b/src/GetProp.c index a80c19c..5d6e0b8 100644 --- a/src/GetProp.c +++ b/src/GetProp.c @@ -46,7 +46,7 @@ XGetWindowProperty( { xGetPropertyReply reply; register xGetPropertyReq *req; -xError error; +xError error = {0}; LockDisplay(dpy); GetReq (GetProperty, req); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 21/32] [libx11] xcms/LRGB: Fix potential resource leak.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com property_return was not free'd if the allocation of pRedTbl failed. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/xcms/LRGB.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index d9168bd..c1606be 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, @@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { + XFree ((char * ) property_return); goto FreeSCCData; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 13/32] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c index fa86979..3d09b81 100644 --- a/modules/im/ximcp/imRm.c +++ b/modules/im/ximcp/imRm.c @@ -2821,6 +2821,8 @@ _XimEncodeLocalPreeditValue( ic-core.focus_window, colormap_ret, count, (Atom)p-value))) return False; + + Xfree(colormap_ret); } return True; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 27/32] [libx11] Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_af
Checked return value of XGetWindowProperty and return false if it fails. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imTrX.c | 33 + 1 files changed, 21 insertions(+), 12 deletions(-) diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c index 47c231e..165832c 100644 --- a/modules/im/ximcp/imTrX.c +++ b/modules/im/ximcp/imTrX.c @@ -377,14 +377,19 @@ _XimXGetReadData( *ret_len = (int)nitems; if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, - prop_ret); - XChangeProperty(im-core.display, spec-lib_connect_wid, prop, - XA_STRING, 8, PropModePrepend, prop_ret[length], - (nitems - length)); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, + prop_ret) == Success) { + XChangeProperty(im-core.display, spec-lib_connect_wid, prop, + XA_STRING, 8, PropModePrepend, prop_ret[length], + (nitems - length)); + } else { + return False; + } } } else { (void)memcpy(buf, prop_ret, buf_len); @@ -393,10 +398,14 @@ _XimXGetReadData( if (bytes_after_ret 0) { XFree(prop_ret); - XGetWindowProperty(im-core.display, - spec-lib_connect_wid, prop, 0L, - ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType, - type_ret, format_ret, nitems, bytes_after_ret, prop_ret); + if (XGetWindowProperty(im-core.display, + spec-lib_connect_wid, prop, 0L, + ((length + bytes_after_ret + 3)/ 4), + True, AnyPropertyType, + type_ret, format_ret, nitems, + bytes_after_ret, prop_ret) != Success) { + return False; + } } XChangeProperty(im-core.display, spec-lib_connect_wid, prop, XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 24/32] [libx11] Using freed pointer prop_ret
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com In the case were a first call to XGetWindowProperty succeeds but the initial value of len is smaller than the total length of the property, prop_return is freed and another call XGWP is made. If that subsequent call fails, unless the subsequent if (format_ret == 0 || nitems_ret == 0) ends up returning XcmsFailure, the freed value of prop_ret from the previous call to XGWP will be returned. This patches changes the funcion to behavior to return XcmsFailure if the call do XGetWindowProperty fails. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/xcms/cmsProp.c | 11 ++- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c index 856ae84..9294cc7 100644 --- a/src/xcms/cmsProp.c +++ b/src/xcms/cmsProp.c @@ -121,11 +121,12 @@ _XcmsGetProperty( long len = 6516; unsigned long nitems_ret, after_ret; Atom atom_ret; +int xgwp_ret; -while (XGetWindowProperty (pDpy, w, property, 0, len, False, - XA_INTEGER, atom_ret, format_ret, - nitems_ret, after_ret, - (unsigned char **)prop_ret)) { +while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False, + XA_INTEGER, atom_ret, format_ret, + nitems_ret, after_ret, + (unsigned char **)prop_ret))) { if (after_ret 0) { len += nitems_ret * (format_ret 3); XFree (prop_ret); @@ -133,7 +134,7 @@ _XcmsGetProperty( break; } } -if (format_ret == 0 || nitems_ret == 0) { +if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) { /* the property does not exist or is of an unexpected type */ return(XcmsFailure); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 18/32] [libx11] Tracked variable size was passed to a negative sink.
Fixed the handling of the extremely unlikely situation of fstat failing Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/Xrm.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/src/Xrm.c b/src/Xrm.c index 3e68c37..b243d60 100644 --- a/src/Xrm.c +++ b/src/Xrm.c @@ -1595,6 +1595,12 @@ ReadInFile(_Xconst char *filename) * to the size returned by fstat. */ GetSizeOfFile(fd, size); + +/* There might have been a problem trying to stat a file */ +if (size == -1) { + close (fd); + return (char *)NULL; +} if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */ close(fd); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 30/32] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...
Removed superfluous check for NULL target_dir; it is already handled before this code. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index 21a546d..d7e375e 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 28/32] [libx11] Comparing array against NULL is not useful xkb-server-vmods != NULL
Removed superfluous comparison. Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xkb/XKBMisc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xkb/XKBMisc.c b/src/xkb/XKBMisc.c index fc5ae5f..4aa1f73 100644 --- a/src/xkb/XKBMisc.c +++ b/src/xkb/XKBMisc.c @@ -619,7 +619,7 @@ KeySym *syms; XkbApplyCompatMapToKey(xkb,key,changes); } -if ((xkb-server-vmods!=NULL)(xkb-map-modmap!=NULL)(changes) +if ((xkb-map-modmap!=NULL)(changes) (changes-map.changed(XkbVirtualModMapMask|XkbModifierMapMask))) { unsigned char newVMods[XkbNumVirtualMods]; register unsigned bit,i; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 31/32] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...
Removed superfluous check for NULL target_dir; it is already handled before this code. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcFile.c |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c index d7e375e..18756c1 100644 --- a/src/xlibi18n/lcFile.c +++ b/src/xlibi18n/lcFile.c @@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char *lc_name) Xfree(name); continue; } - if ((1 + (target_dir ? strlen (target_dir) : 0) + -strlen(locale.dir)) PATH_MAX) { + if ((1 + strlen (target_dir) + strlen(locale.dir)) PATH_MAX) { sprintf(buf, %s/locale.dir, target_dir); target_name = resolve_name(name, buf, RtoL); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 12/32] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c index 2e2c31f..fa86979 100644 --- a/modules/im/ximcp/imRm.c +++ b/modules/im/ximcp/imRm.c @@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue( ic-core.focus_window, colormap_ret, count, (Atom)p-value))) return False; + + Xfree(colormap_ret); } return True; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 10/32] [libx11] Variable missing_list goes out of scope
Fixed memory leak by adding Xfree and initializing missing_list with NULL Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index d62dfdb..ae053c9 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -313,7 +313,7 @@ _XimAttributeToValue( INT16len = data[0]; char*base_name; XFontSet rep = (XFontSet)NULL; - char**missing_list; + char**missing_list = NULL; int missing_count; char*def_string; @@ -347,6 +347,7 @@ _XimAttributeToValue( } Xfree(base_name); + Xfree(missing_list); *((XFontSet *)value) = rep; break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 15/32] [libx11] Variable prop_name not freed or pointed-to in function strlen
Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/XDefaultOMIF.c |4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c index bb3986a..f4f141c 100644 --- a/src/xlibi18n/XDefaultOMIF.c +++ b/src/xlibi18n/XDefaultOMIF.c @@ -403,9 +403,7 @@ get_font_name( return NULL; } - name = (char*) Xmalloc(strlen(prop_name) + 1); - if (name) - strcpy(name, prop_name); + name = prop_name; XFreeFont(dpy, fs); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 17/32] [libx11] Dereferencing possibly NULL str in call to function memcpy (Deref assumed on the basis of 'nonnull' parameter attribute.)
If _XkbGetReadBufferPtr returns NULL, goto BAILOUT Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xkb/XKBList.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/xkb/XKBList.c b/src/xkb/XKBList.c index e1b4127..dec96b7 100644 --- a/src/xkb/XKBList.c +++ b/src/xkb/XKBList.c @@ -79,6 +79,8 @@ char *str; if (!this-name) goto BAILOUT; str= (char *)_XkbGetReadBufferPtr(buf,wlen); + if (!str) + goto BAILOUT; memcpy(this-name,str,slen); } return first; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 29/32] [libx11] a negative value was passed to memcpy
Fixed by checking for the negative return value of _Xlcwctomb and returning 0/XLookupNone in that case. Unfortunately the other return values for *status don't fit into the error (which appears to indicate some internal error or running out of memory). The other valid status codes are XBufferOverflow, XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of these has a specific meaning attached. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imLcLkup.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c index 80e4cfe..4891176 100644 --- a/modules/im/ximcp/imLcLkup.c +++ b/modules/im/ximcp/imLcLkup.c @@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char *buffer, int bytes, unsigned char pattern = ic-private.local.brl_committed; char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)]; ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern); + if(ret 0) { + if(status) *status = XLookupNone; + return(0); + } if(ret bytes) { if(status) *status = XBufferOverflow; return(ret); -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 25/32] [libx11] Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com info_list-watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/XlibInt.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index 9f2745e..a78da9b 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -662,6 +662,7 @@ XAddConnectionWatch( UnlockDisplay(dpy); return 0; } + info_list-watch_data = wd_array; wd_array[dpy-watcher_count] = NULL;/* for cleanliness */ } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 26/32] [libx11] Using uninitialized value conv-state in call to function close_converter
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Fixed by zero'ing conv on allocation. Then close_converter works properly. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c index 5860a79..12a4861 100644 --- a/modules/lc/def/lcDefConv.c +++ b/modules/lc/def/lcDefConv.c @@ -577,7 +577,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c index 074a8d7..baac73a 100644 --- a/modules/lc/gen/lcGenConv.c +++ b/modules/lc/gen/lcGenConv.c @@ -2650,7 +2650,7 @@ create_conv( XlcConv conv; State state; -conv = (XlcConv) Xmalloc(sizeof(XlcConvRec)); +conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec)); if (conv == NULL) return (XlcConv) NULL; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 22/32] [libx11] xcms/LRGB: Add a label for freeing property_return.
From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto. Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi Signed-off-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com --- src/xcms/LRGB.c | 26 ++ 1 files changed, 10 insertions(+), 16 deletions(-) diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c index c1606be..4853483 100644 --- a/src/xcms/LRGB.c +++ b/src/xcms/LRGB.c @@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 9) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 3; break; @@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 7) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 1; break; @@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData( * intensity2 */ if (nitems 6) { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } count = 0; break; default: - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } /* @@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData( /* Red Intensity Table */ if (!(pScreenData-pRedTbl = (IntensityTbl *) Xcalloc (1, sizeof(IntensityTbl { - XFree ((char * ) property_return); - goto FreeSCCData; + goto Free_property_return; } if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar, nitems) == XcmsFailure) { @@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData( } } } else { - Xfree ((char *)property_return); - goto FreeSCCData; + goto Free_property_return; } #ifdef ALLDEBUG @@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData( #endif /* ALLDEBUG */ } -Xfree ((char *)property_return); - /* Free the old memory and use the new structure created. */ LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData); @@ -820,6 +811,9 @@ FreeRedTblElements: FreeRedTbl: Xfree((char *)pScreenData-pRedTbl); +Free_property_return: +Xfree ((char *)property_return); + FreeSCCData: Xfree((char *)pScreenData); pPerScrnInfo-state = XcmsInitNone; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 32/32] [libx11] Cannot reach dead statement return NULL;
Removed superfluous check for NULL. name == NULL is already checked at the function entry. Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xkb/XKBGAlloc.c |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/src/xkb/XKBGAlloc.c b/src/xkb/XKBGAlloc.c index 17d13be..a1cce94 100644 --- a/src/xkb/XKBGAlloc.c +++ b/src/xkb/XKBGAlloc.c @@ -696,8 +696,6 @@ register XkbPropertyPtr prop; } prop= geom-properties[geom-num_properties]; prop-name= (char *)_XkbAlloc(strlen(name)+1); -if (!name) - return NULL; strcpy(prop-name,name); prop-value= (char *)_XkbAlloc(strlen(value)+1); if (!value) { -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 00/31] Various fixes based on static analysis
Here is a bunch of fixes based on the findings of a static code analysis tool. Ander Conselvan de Oliveira (6): Double free of pointer property_return in call to free xcms/LRGB: Fix potential resource leak. xcms/LRGB: Add a label for freeing property_return. Using freed pointer prop_ret Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count + 1) * 4U))) Using uninitialized value conv-state in call to function close_converter Erkki Seppälä (26): Using freed pointer e Variable map goes out of scope Using uninitialized value p-modifiers Variable fs not freed or pointed-to in function get_prop_name Pointer pBuf returned from fgets(buf, 256, stream) is never used Pointer pBuf returned from fgets(buf, 256, stream) is never used Using uninitialized value new Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name without length checking Variable colormap_ret goes out of scope Variable missing_list goes out of scope Variable colormap_ret goes out of scope Variable colormap_ret goes out of scope Variable colormap_ret goes out of scope Variable image goes out of scope Variable prop_name not freed or pointed-to in function strlen Variable table goes out of scope Dereferencing possibly NULL str in call to function memcpy (Deref assumed on the basis of 'nonnull' parameter attribute.) Tracked variable size was passed to a negative sink. Variable entry tracked as NULL was dereferenced. Using uninitialized value error.resourceID in call to function _XError Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_after_ret, prop_ret) is not checked Comparing array against NULL is not useful xkb-server-vmods != NULL a negative value was passed to memcpy Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl... Cannot reach dead statement return NULL; modules/im/ximcp/imLcLkup.c |4 modules/im/ximcp/imRm.c |4 modules/im/ximcp/imRmAttr.c |7 +-- modules/im/ximcp/imThaiFlt.c |5 - modules/im/ximcp/imTrX.c | 33 + modules/lc/def/lcDefConv.c |2 +- modules/lc/gen/lcGenConv.c |2 +- src/GetProp.c|2 +- src/ImUtil.c |1 + src/KeyBind.c|5 - src/XlibInt.c| 12 +++- src/Xrm.c| 10 +- src/xcms/LRGB.c | 25 ++--- src/xcms/cmsColNm.c |4 ++-- src/xcms/cmsProp.c | 11 ++- src/xkb/XKB.c|2 +- src/xkb/XKBGAlloc.c |2 -- src/xkb/XKBList.c|2 ++ src/xkb/XKBMisc.c|2 +- src/xlibi18n/XDefaultOMIF.c |9 + src/xlibi18n/lcFile.c|6 ++ src/xlibi18n/lcGeneric.c |2 +- 22 files changed, 92 insertions(+), 60 deletions(-) ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 01/32] [libx11] Using freed pointer e
Reordered code to first to do the comparison and then to release data Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/XlibInt.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/XlibInt.c b/src/XlibInt.c index d55c26a..c385f4c 100644 --- a/src/XlibInt.c +++ b/src/XlibInt.c @@ -777,10 +777,10 @@ _XFreeEventCookies(Display *dpy) head = (struct stored_event**)dpy-cookiejar; DL_FOREACH_SAFE(*head, e, tmp) { -XFree(e-ev.data); -XFree(e); if (dpy-cookiejar == e) dpy-cookiejar = NULL; +XFree(e-ev.data); +XFree(e); } } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 02/32] [libx11] Variable map goes out of scope
Release modifiermap before returning Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imThaiFlt.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imThaiFlt.c b/modules/im/ximcp/imThaiFlt.c index e0b3988..ca8c601 100644 --- a/modules/im/ximcp/imThaiFlt.c +++ b/modules/im/ximcp/imThaiFlt.c @@ -1268,9 +1268,12 @@ NumLockMask(Display *d) return 0; for (i = 0; i 8; i++) { -if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) +if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) { +XFreeModifiermap(map); return 1 i; +} } +XFreeModifiermap(map); return 0; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 05/32] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used
Removed unused assignment Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index 4164370..c7ad4fd 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -567,7 +567,7 @@ stringSectionSize( return(XcmsFailure); } -while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { break; } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 03/32] [libx11] Using uninitialized value p-modifiers
Smal fix by using calloc instead of Xmalloc Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/KeyBind.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/src/KeyBind.c b/src/KeyBind.c index 6d80a02..5b78efc 100644 --- a/src/KeyBind.c +++ b/src/KeyBind.c @@ -46,6 +46,7 @@ in this Software without prior written authorization from The Open Group. #define XK_XKB_KEYS #include X11/keysymdef.h #include stdio.h +#include stdlib.h #ifdef USE_OWN_COMPOSE #include imComp.h @@ -996,13 +997,15 @@ XRebindKeysym ( tmp = dpy-key_bindings; nb = sizeof(KeySym) * nm; -if ((! (p = (struct _XKeytrans *) Xmalloc( sizeof(struct _XKeytrans || +/* using calloc to zero the contents of allocated structure */ +if ((! (p = (struct _XKeytrans *) calloc( 1, sizeof(struct _XKeytrans || ((! (p-string = (char *) Xmalloc( (unsigned) nbytes))) (nbytes 0)) || ((! (p-modifiers = (KeySym *) Xmalloc( (unsigned) nb))) (nb 0))) { if (p) { if (p-string) Xfree(p-string); + /* without calloc, p-modifiers could end up being uninitialized */ if (p-modifiers) Xfree((char *) p-modifiers); Xfree((char *) p); } -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 06/32] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used
Removed unused assignment Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xcms/cmsColNm.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c index c7ad4fd..8518adf 100644 --- a/src/xcms/cmsColNm.c +++ b/src/xcms/cmsColNm.c @@ -651,7 +651,7 @@ ReadColornameDB( * Process lines between START_TOKEN to END_TOKEN */ -while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { +while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) { if ((sscanf(buf, %s, token)) (strcmp(token, END_TOKEN) == 0)) { /* * Found END_TOKEN so break out of for loop -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 09/32] [libx11] Variable colormap_ret goes out of scope
Fixed memory leak by adding Xfree Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- modules/im/ximcp/imRmAttr.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c index b6d1e12..d62dfdb 100644 --- a/modules/im/ximcp/imRmAttr.c +++ b/modules/im/ximcp/imRmAttr.c @@ -999,7 +999,7 @@ _XimEncodeStatusValue( XIMArg *p) { if (res-xrm_name == XrmStringToQuark(XNStdColormap)) { - XStandardColormap *colormap_ret; + XStandardColormap *colormap_ret = NULL; int count; if (!(XGetRGBColormaps(ic-core.im-core.display, @@ -1007,6 +1007,7 @@ _XimEncodeStatusValue( count, (Atom)p-value))) return False; + XFree(colormap_ret); } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) { int list_ret; XFontStruct **struct_list; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH 07/32] [libx11] Using uninitialized value new
Zero-initialized new Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi --- src/xlibi18n/lcGeneric.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c index 69ea97d..688a4cf 100644 --- a/src/xlibi18n/lcGeneric.c +++ b/src/xlibi18n/lcGeneric.c @@ -428,7 +428,7 @@ read_charset_define( char name[BUFSIZ]; XlcCharSet charsetd; char **value; -int num, new; +int num, new = 0; XlcSide side = XlcUnknown; char *tmp; -- 1.7.0.4 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel