[RFC] [PATCH v3] damage: use DamageReportDamage for the initial borderClip damage report

[Erkki Seppälä]

Instead of using DamageDamageRegion for reporting the first (virtual)
damage in ProcDamageCreate that covers the borderClip of the drawable
window, use a function DamageReportDamage directly (previously called
damageReportDamage). This avoids sending all other damage listeners a
full window update when a new damage object is created.

As this patch makes DamageReportDamage a public interface, the
function has been moved into the part of the file that contains all
the other public functions. The function has not been otherwise
modified.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 damageext/damageext.c |2 +-
 miext/damage/damage.c |  101 +
 miext/damage/damage.h |4 ++
 3 files changed, 56 insertions(+), 51 deletions(-)

diff --git a/damageext/damageext.c b/damageext/damageext.c
index cfef069..6958d89 100644
--- a/damageext/damageext.c
+++ b/damageext/damageext.c
@@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client)
 if (pDrawable-type == DRAWABLE_WINDOW)
 {
pRegion = ((WindowPtr) pDrawable)-borderClip;
-   DamageDamageRegion(pDrawable, pRegion);
+   DamageReportDamage(pDamageExt-pDamage, pRegion);
 }
 
 return Success;
diff --git a/miext/damage/damage.c b/miext/damage/damage.c
index a3de044..f13bfbc 100644
--- a/miext/damage/damage.c
+++ b/miext/damage/damage.c
@@ -121,54 +121,6 @@ getDrawableDamageRef (DrawablePtr pDrawable)
dixLookupPrivateAddr((pWindow)-devPrivates, damageWinPrivateKey)
 
 static void
-damageReportDamage (DamagePtr pDamage, RegionPtr pDamageRegion)
-{
-BoxRec tmpBox;
-RegionRec tmpRegion;
-Bool was_empty;
-
-switch (pDamage-damageLevel) {
-case DamageReportRawRegion:
-   RegionUnion(pDamage-damage, pDamage-damage,
-pDamageRegion);
-   (*pDamage-damageReport) (pDamage, pDamageRegion, pDamage-closure);
-   break;
-case DamageReportDeltaRegion:
-   RegionNull(tmpRegion);
-   RegionSubtract(tmpRegion, pDamageRegion, pDamage-damage);
-   if (RegionNotEmpty(tmpRegion)) {
-   RegionUnion(pDamage-damage, pDamage-damage,
-pDamageRegion);
-   (*pDamage-damageReport) (pDamage, tmpRegion, pDamage-closure);
-   }
-   RegionUninit(tmpRegion);
-   break;
-case DamageReportBoundingBox:
-   tmpBox = *RegionExtents(pDamage-damage);
-   RegionUnion(pDamage-damage, pDamage-damage,
-pDamageRegion);
-   if (!BOX_SAME (tmpBox, RegionExtents(pDamage-damage))) {
-   (*pDamage-damageReport) (pDamage, pDamage-damage,
- pDamage-closure);
-   }
-   break;
-case DamageReportNonEmpty:
-   was_empty = !RegionNotEmpty(pDamage-damage);
-   RegionUnion(pDamage-damage, pDamage-damage,
-pDamageRegion);
-   if (was_empty  RegionNotEmpty(pDamage-damage)) {
-   (*pDamage-damageReport) (pDamage, pDamage-damage,
- pDamage-closure);
-   }
-   break;
-case DamageReportNone:
-   RegionUnion(pDamage-damage, pDamage-damage,
-pDamageRegion);
-   break;
-}
-}
-
-static void
 damageReportDamagePostRendering (DamagePtr pDamage, RegionPtr pOldDamage, 
RegionPtr pDamageRegion)
 {
 BoxRec tmpBox;
@@ -360,7 +312,7 @@ damageRegionAppend (DrawablePtr pDrawable, RegionPtr 
pRegion, Bool clip,
/* Report damage now, if desired. */
if (!pDamage-reportAfter) {
if (pDamage-damageReport)
-   damageReportDamage (pDamage, pDamageRegion);
+   DamageReportDamage (pDamage, pDamageRegion);
else
RegionUnion(pDamage-damage,
 pDamage-damage, pDamageRegion);
@@ -393,7 +345,7 @@ damageRegionProcessPending (DrawablePtr pDrawable)
if (pDamage-reportAfter) {
/* It's possible that there is only interest in postRendering 
reporting. */
if (pDamage-damageReport)
-   damageReportDamage (pDamage, pDamage-pendingDamage);
+   DamageReportDamage (pDamage, pDamage-pendingDamage);
else
RegionUnion(pDamage-damage, pDamage-damage,
pDamage-pendingDamage);
@@ -2149,3 +2101,52 @@ DamageGetScreenFuncs (ScreenPtr pScreen)
 damageScrPriv(pScreen);
 return pScrPriv-funcs;
 }
+
+void
+DamageReportDamage (DamagePtr pDamage, RegionPtr pDamageRegion)
+{
+BoxRec tmpBox;
+RegionRec tmpRegion;
+Bool was_empty;
+
+switch (pDamage-damageLevel) {
+case DamageReportRawRegion:
+   RegionUnion(pDamage-damage, pDamage-damage,
+pDamageRegion);
+   (*pDamage-damageReport) (pDamage, pDamageRegion, pDamage-closure);
+   break;
+case DamageReportDeltaRegion:
+   RegionNull(tmpRegion);
+   RegionSubtract(tmpRegion, pDamageRegion, pDamage-damage);
+   if (RegionNotEmpty

[PATCH] damage: use DamageInitialReport for the initial borderClip damage report

[Erkki Seppälä]

Instead of using the proper DamageDamageRegion for reporting the
first (virtual) damage in ProcDamageCreate that covers the borderClip
of the drawable window, use a new function DamageInitialReport that
uses damageReportDamage to do the work. This avoids sending all other
damage listeners a full window update when a new damage object is
created.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 damageext/damageext.c |2 +-
 miext/damage/damage.c |   12 
 miext/damage/damage.h |5 +
 3 files changed, 18 insertions(+), 1 deletions(-)

diff --git a/damageext/damageext.c b/damageext/damageext.c
index cfef069..12e4bb1 100644
--- a/damageext/damageext.c
+++ b/damageext/damageext.c
@@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client)
 if (pDrawable-type == DRAWABLE_WINDOW)
 {
pRegion = ((WindowPtr) pDrawable)-borderClip;
-   DamageDamageRegion(pDrawable, pRegion);
+   DamageInitialDamage(pDrawable, pRegion);
 }
 
 return Success;
diff --git a/miext/damage/damage.c b/miext/damage/damage.c
index a3de044..a698d14 100644
--- a/miext/damage/damage.c
+++ b/miext/damage/damage.c
@@ -2115,6 +2115,18 @@ DamageRegionRendered (DrawablePtr pDrawable, DamagePtr 
pDamage, RegionPtr pOldDa
damageReportDamagePostRendering (pDamage, pOldDamage, pRegion);
 }
 
+void
+DamageInitialDamage (DrawablePtrpDrawable,
+const RegionPtr pRegion)
+{
+ScreenPtr pScreen = pDrawable-pScreen;
+damageScrPriv(pScreen);
+drawableDamage(pDrawable);
+
+damageReportDamage(pDamage, pRegion);
+}
+
+
 /* This call is very odd, i'm leaving it intact for API sake, but please don't 
use it. */
 void
 DamageDamageRegion (DrawablePtrpDrawable,
diff --git a/miext/damage/damage.h b/miext/damage/damage.h
index 067016f..a3125ea 100644
--- a/miext/damage/damage.h
+++ b/miext/damage/damage.h
@@ -110,6 +110,11 @@ DamageRegionProcessPending (DrawablePtr pDrawable);
 extern _X_EXPORT void
 DamageRegionRendered (DrawablePtr pDrawable, DamagePtr pDamage, RegionPtr 
pOldDamage, RegionPtr pRegion);
 
+/* Call this when you create a new Damage and you wish to send an initial 
damage message (to it). */
+extern _X_EXPORT void
+DamageInitialDamage (DrawablePtrpDrawable,
+const RegionPtr pRegion);
+
 /* Avoid using this call, it only exists for API compatibility. */
 extern _X_EXPORT void
 DamageDamageRegion (DrawablePtrpDrawable,
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 2/2] [libXau] XauGet*AuthByAddr: use XauGetFileName instead of XauFileName

[Erkki Seppälä]

XauGetFileName is a thread-safe variant of XauFileName.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
---
 AuGetAddr.c |   12 +++-
 AuGetBest.c |   12 +++-
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/AuGetAddr.c b/AuGetAddr.c
index 897d8b5..5d6c8fb 100644
--- a/AuGetAddr.c
+++ b/AuGetAddr.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The 
Open Group.
 #endif
 #include X11/Xauth.h
 #include X11/Xos.h
+#include stdlib.h
 
 static int
 binaryEqual (_Xconst char *a, _Xconst char *b, int len)
@@ -64,16 +65,15 @@ _Xconst char*   name)
 {
 FILE*auth_file;
 char*auth_name;
-Xauth   *entry;
+Xauth   *entry = NULL;
 
-auth_name = XauFileName ();
-if (!auth_name)
+if (XauGetFileName (auth_name, NULL) != XAUTH_GETFN_OK)
return NULL;
 if (access (auth_name, R_OK) != 0) /* checks REAL id */
-   return NULL;
+   goto cleanup;
 auth_file = fopen (auth_name, rb);
 if (!auth_file)
-   return NULL;
+   goto cleanup;
 for (;;) {
entry = XauReadAuth (auth_file);
if (!entry)
@@ -105,5 +105,7 @@ _Xconst char*   name)
XauDisposeAuth (entry);
 }
 (void) fclose (auth_file);
+ cleanup:
+free(auth_name);
 return entry;
 }
diff --git a/AuGetBest.c b/AuGetBest.c
index 673ee40..096a4c0 100644
--- a/AuGetBest.c
+++ b/AuGetBest.c
@@ -37,6 +37,7 @@ in this Software without prior written authorization from The 
Open Group.
 #define XOS_USE_NO_LOCKING
 #include X11/Xos_r.h
 #endif
+#include stdlib.h
 
 static int
 binaryEqual (_Xconst char *a, _Xconst char *b, int len)
@@ -70,7 +71,7 @@ XauGetBestAuthByAddr (
 FILE*auth_file;
 char*auth_name;
 Xauth   *entry;
-Xauth   *best;
+Xauth   *best = NULL;
 intbest_type;
 inttype;
 #ifdef hpux
@@ -78,14 +79,13 @@ XauGetBestAuthByAddr (
 unsigned short fully_qual_address_length;
 #endif
 
-auth_name = XauFileName ();
-if (!auth_name)
+if (XauGetFileName (auth_name, NULL) != XAUTH_GETFN_OK)
return NULL;
 if (access (auth_name, R_OK) != 0) /* checks REAL id */
-   return NULL;
+   goto cleanup;
 auth_file = fopen (auth_name, rb);
 if (!auth_file)
-   return NULL;
+   goto cleanup;
 
 #ifdef hpux
 if (family == FamilyLocal) {
@@ -166,5 +166,7 @@ XauGetBestAuthByAddr (
XauDisposeAuth (entry);
 }
 (void) fclose (auth_file);
+ cleanup:
+free(auth_name);
 return best;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 1/2] [libXau] XauGetFileName: added a thread-safe variant of XauFileName

[Erkki Seppälä]

XauGetFileName has argument char **buffer, which can be used to
provide an existing buffer for XauGetFileName to store the result
in. *buffer can be NULL, in which case a newly allocated block of
memory will be allocated and stored at *buffer. The function also
provides means to signal the required buffer length back should the
buffer be too small. All different situations are signaled with a
return value enum XauthGetFnStatus, where XAUTH_GETFN_OK = 0.

XauFileName is reimplemented in terms of XauGetFileName. As a side
effect it might reduce the chance of heap corruption. However, this
still doesn't mean XauFileName is anywhere near thread safe. LibXau
has been internally fixed to use XauGetFileName, so you should be safe
if you don't call XauFileName directly.

NetBSD getenv_r is also supported. Unfortunately this support has only
been tested with a simulation function under Linux, as I don't have
access to a NetBSD host, and neither FreeBSD nor Solaris provide this
function. Linux getenv is already thread safe (assuming environment is
not changed), as it simply returns a pointer inside the environment in
process address space. Also Solaris getenv is thread safe according to
its documentation.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
---
 AuFileName.c|  163 ++-
 configure.ac|5 ++
 include/X11/Xauth.h |   38 
 man/Xau.man |   57 +-
 4 files changed, 234 insertions(+), 29 deletions(-)

diff --git a/AuFileName.c b/AuFileName.c
index f384f75..753d0d4 100644
--- a/AuFileName.c
+++ b/AuFileName.c
@@ -30,43 +30,152 @@ in this Software without prior written authorization from 
The Open Group.
 #include X11/Xauth.h
 #include X11/Xos.h
 #include stdlib.h
+#include string.h
+#include errno.h
+
+#ifdef USE_MTSAFE_GETENV
+/**
+ * @brief xau_getenv returns the contents of an environment
+ * variable. 
+ * 
+ * Previously returned value may be trashed by this call!
+ *
+ * @returns If the value is found, the returned string may be
+ * allocated from heap and must be released with the function
+ * xau_freeenv. If the value is not found, NULL will be returned.
+ */
+static const char *
+xau_getenv(const char *name)
+{
+size_t  len= 64;
+char   *buffer = malloc (len);
+intrc = 0;
+
+while (buffer
+   (rc = getenv_r (name, buffer, len)) == -1
+   errno == ERANGE) {
+   len *= 2;
+   free (buffer);
+   buffer = malloc (len);
+}
+return rc == 0 ? buffer : NULL;
+}
+
+/**
+ * @brief xau_freeenv releases a variable stored in heap by
+ * xau_getenv. This function may be a non-op if the environment
+ * variables do not need to be copied.
+ */
+static void
+xau_freeenv(char *value)
+{
+free (value);
+}
+#else /* #if USE_MTSAFE_GETENV */
+static const char *
+xau_getenv(const char *name)
+{
+return getenv ((char*) name);
+}
+
+static void
+xau_freeenv(const char *value)
+{
+(void) value;
+}
+#endif
 
 char *
 XauFileName (void)
 {
-const char *slashDotXauthority = /.Xauthority;
-char*name;
 static char*buf;
-static int bsize;
+static int size;
+int tries;
+
+for (tries = 2; tries  0; --tries) {
+   switch (XauGetFileName (buf, size)) {
+   case XAUTH_GETFN_OK:
+   return buf;
+   case XAUTH_GETFN_NOT_FOUND:
+   case XAUTH_GETFN_OUT_OF_MEMORY:
+   return NULL;
+   case XAUTH_GETFN_BUFFER_TOO_SMALL:
+   buf = realloc (buf, size);
+   }
+}
+
+return NULL;
+}
+
+XauthGetFnStatus
+XauGetFileName (char **buf, int *buf_len)
+{
+static const char *slashDotXauthority = /.Xauthority;
+int   size;
+/* only one of xauthority and home is non-NULL at any point of the
+   function to handle the fact that xau_getenv may trash the
+   contents of its previous return value. */
+char *xauthority = NULL;
+char *home   = NULL;
+const char   *relativeXauthority = NULL;
+int   rc;
 #ifdef WIN32
-chardir[128];
+char  dir[128];
 #endif
-intsize;
 
-if ((name = getenv (XAUTHORITY)))
-   return name;
-name = getenv (HOME);
-if (!name) {
+/* if XAUTHORITY is provided, use that. (Still do buffer
+   handling.) */
+xauthority = xau_getenv (XAUTHORITY);
+if (xauthority) {
+   size = strlen (xauthority) + 1;
+} else {
+   home = xau_getenv (HOME);
+   if (!home) {
 #ifdef WIN32
-   (void) strcpy (dir, /users/);
-   if ((name = getenv(USERNAME))) {
-   (void) strcat (dir, name);
-   name = dir;
-   }
-   if (!name)
+   char *username = xau_getenv (USERNAME);
+   if (username) {
+   snprintf (dir, sizeof(dir), /users/%s, username

[PATCH v2 0/2] [libXau] XauGetFileName: added a thread-safe variant of XauFileName

[Erkki Seppälä]

Well, we decided to take the suggestions into account nevertheles and
create a thread-safe variant of XauFileName, that is used internally
by libXau and thus reduces the impact to multi-threaded programs that
use that function directly instead of the new XauGetFileName. I
imagine the number of such programs is zero ;).

While the patch may not be as simple as the original (far from it), it
should be able to handle environments that don't have file name length
limitations. It also supports environments that don't have a
thread-safe getenv (that is, when subsequent getenv calls clobber the
previous return values), by supporting the getenv_r function, if it is
available. XauGetFileName is still easy to use in the basic situation,
but it works in fixed size buffer situations as well.

Erkki Seppälä (2):
  XauGetFileName: added a thread-safe variant of XauFileName
  XauGet*AuthByAddr: use XauGetFileName instead of XauFileName

 AuFileName.c|  163 ++-
 AuGetAddr.c |   12 ++--
 AuGetBest.c |   12 ++--
 configure.ac|5 ++
 include/X11/Xauth.h |   38 
 man/Xau.man |   57 +-
 6 files changed, 248 insertions(+), 39 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2] [xorg/xserver] os/client: Prevent rare fd leak in DetermineClientPid

[Erkki Seppälä]

DetermineClientPid didn't close file descriptor if read on
/proc/pid/cmdline failed. Adjusted the code to disregard the close
return value and perform the return after that, if the read failed or
returned EOF.

Signed-off-by: Mark Kettenis mark.kette...@xs4all.nl
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
---
 os/client.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/os/client.c b/os/client.c
index 1311855..b534977 100644
--- a/os/client.c
+++ b/os/client.c
@@ -140,10 +140,9 @@ void DetermineClientCmd(pid_t pid, const char **cmdname, 
const char **cmdargs)
 /* Read the contents of /proc/pid/cmdline. It should contain the
  * process name and arguments. */
 totsize = read(fd, path, sizeof(path));
+close(fd);
 if (totsize = 0)
 return;
-if (close(fd)  0)
-return;
 path[totsize - 1] = '\0';
 
 /* Contruct the process name without arguments. */
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[RFC] [PATCH] [xorg/xserver] damage: use DamageExtReport for the initial borderClip damage report

[Erkki Seppälä]

Instead of using the proper DamageDamageRegion for reporting the
first (virtual) damage in ProcDamageCreate that covers the borderClip
of the drawable window, use DamageExtReport directly. This avoids
sending all other damage listeners from receiving a full window update
when a new damage object is created.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 damageext/damageext.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/damageext/damageext.c b/damageext/damageext.c
index cfef069..7a0a779 100644
--- a/damageext/damageext.c
+++ b/damageext/damageext.c
@@ -223,7 +223,7 @@ ProcDamageCreate (ClientPtr client)
 if (pDrawable-type == DRAWABLE_WINDOW)
 {
pRegion = ((WindowPtr) pDrawable)-borderClip;
-   DamageDamageRegion(pDrawable, pRegion);
+   DamageExtReport(NULL /* pDamage not used */, pRegion, pDamageExt);
 }
 
 return Success;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] [xorg/xserver] os/client: Prevent rare fd leak in DetermineClientPid

[Erkki Seppälä]

DetermineClientPid didn't close file descriptor if read on
/proc/pid/cmdline failed. Added close to that path of code.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
---
 os/client.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/os/client.c b/os/client.c
index 1311855..5c05f9b 100644
--- a/os/client.c
+++ b/os/client.c
@@ -140,8 +140,10 @@ void DetermineClientCmd(pid_t pid, const char **cmdname, 
const char **cmdargs)
 /* Read the contents of /proc/pid/cmdline. It should contain the
  * process name and arguments. */
 totsize = read(fd, path, sizeof(path));
-if (totsize = 0)
+if (totsize = 0) {
+close(fd);
 return;
+}
 if (close(fd)  0)
 return;
 path[totsize - 1] = '\0';
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] [xorg/xserver] config: handle device change event properly

[Erkki Seppälä]

wakeup_handler in udev.c wasn't dealing with udev change events.
There are situations when a device can gain its input capabilities
after it has been added to the system and therefore the change events
must be handled as well.

The change is handled as a consecutive device removal and addition.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Stefan Kost stefan.k...@nokia.com
---

Stefan, please ask a proper Reported-by tag for the bug from the
original reporter.

 config/udev.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/config/udev.c b/config/udev.c
index a2f5710..c120747 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -246,6 +246,10 @@ wakeup_handler(pointer data, int err, pointer read_mask)
 device_added(udev_device);
 else if (!strcmp(action, remove))
 device_removed(udev_device);
+else if (!strcmp(action, change)) {
+device_removed(udev_device);
+device_added(udev_device);
+}
 }
 udev_device_unref(udev_device);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] [xorg/xserver] mi/misprite: release private record

[Erkki Seppälä]

The record allocated by miSpriteDeviceCursorInitialize was not being
released. This patch adds a call to free and resetting the private
record to miSpriteDeviceCursorCleanup.

Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 mi/misprite.c |3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/mi/misprite.c b/mi/misprite.c
index 770951e..0306f62 100644
--- a/mi/misprite.c
+++ b/mi/misprite.c
@@ -892,6 +892,9 @@ miSpriteDeviceCursorCleanup(DeviceIntPtr pDev, ScreenPtr 
pScreen)
 {
 if (DevHasCursor(pDev))
 miDCDeviceCleanup(pDev, pScreen);
+
+free(dixLookupPrivate(pDev-devPrivates, miSpriteDevPrivatesKey));
+dixSetPrivate(pDev-devPrivates, miSpriteDevPrivatesKey, NULL);
 }
 
 /*
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2] [xorg/xserver] mi/misprite: use memory management provided by dixRegisterPrivateKey

[Erkki Seppälä]

The record allocated by miSpriteDeviceCursorInitialize was not being
released.

This patch makes misprite use dixRegisterPrivateKey with the record
size argument, which handles the memory management
issues. miSpriteDeviceCursorInitialize is restructured to initialize
pCursorInfo only if miDCDeviceInitialize succeeds. The record itself
is zeroed on cleanup to ensure that the assumptions in the code still
hold.

Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 mi/misprite.c |   41 +++--
 1 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/mi/misprite.c b/mi/misprite.c
index 770951e..c9d0180 100644
--- a/mi/misprite.c
+++ b/mi/misprite.c
@@ -308,7 +308,7 @@ miSpriteInitialize (ScreenPtr   pScreen,
 if (!dixRegisterPrivateKey(miSpriteScreenKeyRec, PRIVATE_SCREEN, 0))
return FALSE;
 
-if (!dixRegisterPrivateKey(miSpriteDevPrivatesKeyRec, PRIVATE_DEVICE, 0))
+if (!dixRegisterPrivateKey(miSpriteDevPrivatesKeyRec, PRIVATE_DEVICE, 
sizeof(miCursorInfoRec)))
return FALSE;
 
 pScreenPriv = malloc(sizeof (miSpriteScreenRec));
@@ -860,38 +860,35 @@ miSpriteMoveCursor (DeviceIntPtr pDev, ScreenPtr pScreen, 
int x, int y)
 static Bool
 miSpriteDeviceCursorInitialize(DeviceIntPtr pDev, ScreenPtr pScreen)
 {
-miCursorInfoPtr pCursorInfo;
-int ret = FALSE;
-
-pCursorInfo = malloc(sizeof(miCursorInfoRec));
-if (!pCursorInfo)
-return FALSE;
-
-pCursorInfo-pCursor = NULL;
-pCursorInfo-x = 0;
-pCursorInfo-y = 0;
-pCursorInfo-isUp = FALSE;
-pCursorInfo-shouldBeUp = FALSE;
-pCursorInfo-pCacheWin = NullWindow;
-pCursorInfo-isInCacheWin = FALSE;
-pCursorInfo-checkPixels = TRUE;
-pCursorInfo-pScreen = FALSE;
+int ret = miDCDeviceInitialize(pDev, pScreen);
 
-ret = miDCDeviceInitialize(pDev, pScreen);
-if (!ret)
+if (ret)
 {
-free(pCursorInfo);
-pCursorInfo = NULL;
+miCursorInfoPtr pCursorInfo;
+pCursorInfo = dixLookupPrivate(pDev-devPrivates, 
miSpriteDevPrivatesKey);
+pCursorInfo-pCursor = NULL;
+pCursorInfo-x = 0;
+pCursorInfo-y = 0;
+pCursorInfo-isUp = FALSE;
+pCursorInfo-shouldBeUp = FALSE;
+pCursorInfo-pCacheWin = NullWindow;
+pCursorInfo-isInCacheWin = FALSE;
+pCursorInfo-checkPixels = TRUE;
+pCursorInfo-pScreen = FALSE;
 }
-dixSetPrivate(pDev-devPrivates, miSpriteDevPrivatesKey, pCursorInfo);
+
 return ret;
 }
 
 static void
 miSpriteDeviceCursorCleanup(DeviceIntPtr pDev, ScreenPtr pScreen)
 {
+miCursorInfoPtr pCursorInfo = dixLookupPrivate(pDev-devPrivates, 
miSpriteDevPrivatesKey);
+
 if (DevHasCursor(pDev))
 miDCDeviceCleanup(pDev, pScreen);
+
+memset(pCursorInfo, 0, sizeof(miCursorInfoRec));
 }
 
 /*
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] xfree86/common: Removed a configScreen leak when conf_screen is NULL

[Erkki Seppälä]

configScreen used a dynamically allocated buffer for XF86ConfScreenRec
when conf_screen argument was NULL. This pointer was never stored
anywhere, nor was it released, so this patch makes the function use
automatically allocated storage in that situation.

Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 hw/xfree86/common/xf86Config.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c
index 28786ba..906d4bd 100644
--- a/hw/xfree86/common/xf86Config.c
+++ b/hw/xfree86/common/xf86Config.c
@@ -1829,9 +1829,11 @@ configScreen(confScreenPtr screenp, XF86ConfScreenPtr 
conf_screen, int scrnum,
 XF86ConfDisplayPtr dispptr;
 XF86ConfAdaptorLinkPtr conf_adaptor;
 Bool defaultMonitor = FALSE;
+XF86ConfScreenRec local_conf_screen; /* used only if conf_screen is NULL */
 
 if (!conf_screen) {
-conf_screen = xnfcalloc(1, sizeof(XF86ConfScreenRec));
+memset(local_conf_screen, 0, sizeof(local_conf_screen));
+conf_screen = local_conf_screen;
 conf_screen-scrn_identifier = Default Screen Section;
 xf86Msg(X_DEFAULT, No screen section available. Using defaults.\n);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] xfree86/modes: Fixed memory leak in xf86InitialConfiguration

[Erkki Seppälä]

There were two memory leaks in the function: one was the lack of free
for enabled, the other was the full lack of releasing anything when
configuration was too small. The first issue was fixed by adding the
missing free, the other was addressed by replacing the duplicate
memory releasing sequences with one that is gotoed into.

Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 hw/xfree86/modes/xf86Crtc.c |   21 -
 1 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 9a5e50a..7eaecdb 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -2353,6 +2353,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow)
 inti = scrn-scrnIndex;
 Bool have_outputs = TRUE;
 Bool ret;
+Bool success = FALSE;
 
 /* Set up the device options */
 config-options = xnfalloc (sizeof (xf86DeviceOptions));
@@ -2411,11 +2412,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow)
  * Set the position of each output
  */
 if (!xf86InitialOutputPositions (scrn, modes))
-{
-   free(crtcs);
-   free(modes);
-   return FALSE;
-}
+   goto bailout;
 
 /*
  * Set initial panning of each output
@@ -2426,11 +2423,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow)
  * Assign CRTCs to fit output configuration
  */
 if (have_outputs  !xf86PickCrtcs (scrn, crtcs, modes, 0, width, height))
-{
-   free(crtcs);
-   free(modes);
-   return FALSE;
-}
+   goto bailout;
 
 /* XXX override xf86 common frame computation code */
 
@@ -2507,7 +2500,7 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool canGrow)
  * Make sure the configuration isn't too small.
  */
 if (width  config-minWidth || height  config-minHeight)
-   return FALSE;
+   goto bailout;
 
 /*
  * Limit the crtc config to virtual[XY] if the driver can't grow the
@@ -2530,10 +2523,12 @@ xf86InitialConfiguration (ScrnInfoPtr scrn, Bool 
canGrow)
   xf86CVTMode(width, height, 60, 0, 0));
 }
 
-
+success = TRUE;
+ bailout:
 free(crtcs);
 free(modes);
-return TRUE;
+free(enabled);
+return success;
 }
 
 /*
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH] [xserver] record: avoid crash when calling RecordFlushReplyBuffer recursively

[Erkki Seppälä]

RecordFlushReplyBuffer can call itself recursively through
WriteClient-CallCallbacks-_CallCallbacks-RecordFlushAllContexts
when the recording client's buffer cannot be completely emptied in one
WriteClient. When a such a recursion occurs, it will not be broken out
of which results in segmentation fault when the stack is exhausted.

This patch adds a counter (a flag, really) that guards against this
situation, to break out of the recursion.

One alternative to this change would be to change _CallCallbacks to
check the corresponding counter before the callback loop, but that
might affect existing behavior, which may be relied upon.

Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 record/record.c |6 +-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/record/record.c b/record/record.c
index 6a93d7a..bea3046 100644
--- a/record/record.c
+++ b/record/record.c
@@ -77,6 +77,7 @@ typedef struct {
 char   bufCategory;   /* category of protocol in replyBuffer */
 intnumBufBytes;   /* number of bytes in replyBuffer */
 char   replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */
+intinFlush;   /*  are we inside 
RecordFlushReplyBuffer */
 } RecordContextRec, *RecordContextPtr;
 
 /*  RecordMinorOpRec - to hold minor opcode selections for extension requests
@@ -245,8 +246,9 @@ RecordFlushReplyBuffer(
 int len2
 )
 {
-if (!pContext-pRecordingClient || pContext-pRecordingClient-clientGone) 
+if (!pContext-pRecordingClient || pContext-pRecordingClient-clientGone 
|| pContext-inFlush) 
return;
+++pContext-inFlush;
 if (pContext-numBufBytes)
WriteToClient(pContext-pRecordingClient, pContext-numBufBytes,
  (char *)pContext-replyBuffer);
@@ -255,6 +257,7 @@ RecordFlushReplyBuffer(
WriteToClient(pContext-pRecordingClient, len1, (char *)data1);
 if (len2)
WriteToClient(pContext-pRecordingClient, len2, (char *)data2);
+--pContext-inFlush;
 } /* RecordFlushReplyBuffer */
 
 
@@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client)
 pContext-numBufBytes = 0;
 pContext-pBufClient = NULL;
 pContext-continuedReply = 0;
+pContext-inFlush = 0;
 
 err = RecordRegisterClients(pContext, client,
(xRecordRegisterClientsReq *)stuff);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 0/2] Last two libx11 static analysis fixes

[Erkki Seppälä]

Here are the final (I hope..) two LibX11 static analysis fixes. Thanks
for perseverance! ;) 

The cmsProp patch was amended compared to the one posted earlier while
the other is as-is (except for commit message).

Ander Conselvan de Oliveira (1):
  xcms/LRGB: don't double-free property_return

Erkki Seppälä (1):
  xcms/cmsProp: don't deal with uninitialized values, fail instead

 src/xcms/LRGB.c|1 -
 src/xcms/cmsProp.c |   24 +---
 2 files changed, 13 insertions(+), 12 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 1/2] [libX11] xcms/LRGB: don't double-free property_return

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

property_return was free'd before and in the case the conditional is
true, the call to XcmsGetProperty failed which means that
property_return wasn't set so there is no need to free it again.

Double free of pointer property_return in call to free

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/xcms/LRGB.c |1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index 750c492..2dca82e 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData(
 if (CorrectAtom == None ||
!_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom,
   format_return, nitems, nbytes_return, property_return)) {
-   Xfree ((char *)property_return);
goto FreeSCCData;
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 2/2] [libX11] xcms/cmsProp: don't deal with uninitialized values, fail instead

[Erkki Seppälä]

Properly handle the return value of XGetWindowProperty by considering
if after the loop as well.

Using freed pointer prop_ret

There were numerous things wrong in how this function interacted with
XGetWindowProperty.

None of the local variables were initialized and remained that way if
the call to XGetWindowProperty returned 1 (not Succeed). That doesn't
result in after_ret being initialized in which case if it happens to
be 0, the loop was exited. In that case format_ret and nitems_ret were
uninitialized and the function might return with success (but with
uninitialized pointer in prop_ret) or XcmsFailure.

As the buffer enlarging code was called only when XGetWindowProperty
failed (returned not Success), after_ret would not have been
initialized. It would have been initialized only if the
XGetWindowProperty has returned Success earlier, but in that case the
code fragment would not have been reached.

This patch alters the function to return XcmsFailure if the call to
XGetWindowProperty fails.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Reviewed-by: Rami Ylimäki rami.ylim...@vincit.fi
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsProp.c |   17 ++---
 1 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c
index 856ae84..2826ee7 100644
--- a/src/xcms/cmsProp.c
+++ b/src/xcms/cmsProp.c
@@ -121,20 +121,23 @@ _XcmsGetProperty(
 long len = 6516;
 unsigned long nitems_ret, after_ret;
 Atom atom_ret;
+int xgwp_ret;
 
-while (XGetWindowProperty (pDpy, w, property, 0, len, False,
-  XA_INTEGER, atom_ret, format_ret,
-  nitems_ret, after_ret,
-  (unsigned char **)prop_ret)) {
-   if (after_ret  0) {
+while (True) {
+   xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+  XA_INTEGER, atom_ret, format_ret,
+  nitems_ret, after_ret,
+  (unsigned char **)prop_ret);
+   if (xgwp_ret == Success  after_ret  0) {
len += nitems_ret * (format_ret  3);
XFree (prop_ret);
} else {
break;
}
 }
-if (format_ret == 0 || nitems_ret == 0) {
-   /* the property does not exist or is of an unexpected type */
+if (xgwp_ret != Success || format_ret == 0 || nitems_ret == 0) {
+   /* the property does not exist or is of an unexpected type or
+   getting window property failed */
return(XcmsFailure);
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Pull request for libx11 reviewed static analysis fixes

[Erkki Seppälä]

are available in the git repository at:

  git://gitorious.org/erkkise/libx11-fixes.git fixes-reviewed-1

Erkki Seppälä (4):
  Using freed pointer e
  Dereferencing possibly NULL str in call to function memcpy (Deref 
assumed on the basis of 'nonnull' parameter attribute.)
  Variable entry tracked as NULL was dereferenced.
  Comparing array against NULL is not useful xkb-server-vmods != NULL

 src/XlibInt.c |4 ++--
 src/xkb/XKB.c |2 +-
 src/xkb/XKBList.c |2 ++
 src/xkb/XKBMisc.c |2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 3/3] [libx11] Cannot reach dead statement return NULL;

[Erkki Seppälä]

Check for the NULLness of prop-name and prop-value instead of
name and value, which was checked earlier anyway. Decided against
using strdup due to curious memory allocation functions and the
rest of the xkb not using it either.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi

diff --git a/src/xkb/XKBGAlloc.c b/src/xkb/XKBGAlloc.c
index 17d13be..90ec2f9 100644
--- a/src/xkb/XKBGAlloc.c
+++ b/src/xkb/XKBGAlloc.c
@@ -696,11 +696,11 @@ register XkbPropertyPtr prop;
 }
 prop= geom-properties[geom-num_properties];
 prop-name= (char *)_XkbAlloc(strlen(name)+1);
-if (!name)
+if (!prop-name)
return NULL;
 strcpy(prop-name,name);
 prop-value= (char *)_XkbAlloc(strlen(value)+1);
-if (!value) {
+if (!prop-value) {
_XkbFree(prop-name);
prop-name= NULL;
return NULL;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 0/3] Various fixes based on static analysis

[Erkki Seppälä]

Here are revised versions of the fixes that got some review comments
on the list.

Erkki Seppälä (3):
  Variable map goes out of scope
  Using uninitialized value p-modifiers
  Cannot reach dead statement return NULL;

 modules/im/ximcp/imThaiFlt.c |9 +++--
 src/KeyBind.c|2 +-
 src/xkb/XKBGAlloc.c  |4 ++--
 3 files changed, 10 insertions(+), 5 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 2/3] [libx11] Using uninitialized value p-modifiers

[Erkki Seppälä]

Small fix by using Xcalloc instead of Xmalloc

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi

diff --git a/src/KeyBind.c b/src/KeyBind.c
index 6d80a02..ac25ce2 100644
--- a/src/KeyBind.c
+++ b/src/KeyBind.c
@@ -996,7 +996,7 @@ XRebindKeysym (
 tmp = dpy-key_bindings;
 nb = sizeof(KeySym) * nm;
 
-if ((! (p = (struct _XKeytrans *) Xmalloc( sizeof(struct _XKeytrans ||
+if ((! (p = (struct _XKeytrans *) Xcalloc( 1, sizeof(struct _XKeytrans 
||
((! (p-string = (char *) Xmalloc( (unsigned) nbytes))) 
 (nbytes  0)) ||
((! (p-modifiers = (KeySym *) Xmalloc( (unsigned) nb))) 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 1/3] [libx11] Variable map goes out of scope

[Erkki Seppälä]

Release modifiermap before returning. Reordered code to call
XGetModifierMapping after the first return from the function.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi

diff --git a/modules/im/ximcp/imThaiFlt.c b/modules/im/ximcp/imThaiFlt.c
index e0b3988..e2b0458 100644
--- a/modules/im/ximcp/imThaiFlt.c
+++ b/modules/im/ximcp/imThaiFlt.c
@@ -1262,15 +1262,20 @@ Private unsigned
 NumLockMask(Display *d)
 {
 int i;
-XModifierKeymap *map = XGetModifierMapping (d);
+XModifierKeymap *map;
 KeyCode numlock_keycode = XKeysymToKeycode (d, XK_Num_Lock);
 if (numlock_keycode == NoSymbol)
 return 0;
 
+map = XGetModifierMapping (d);
+
 for (i = 0; i  8; i++) {
-if (map-modifiermap[map-max_keypermod * i] == numlock_keycode)
+if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) {
+XFreeModifiermap(map);
 return 1  i;
+}
 }
+XFreeModifiermap(map);
 return 0;
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 00/25] Various fixes based on static analysis - remaining patches

[Erkki Seppälä]

Here are the remaining patches of the libx11 static analysis batch
that have not yet received feedback from the list. Next up,
pull-request :).

Ander Conselvan de Oliveira (6):
  Double free of pointer property_return in call to free
  xcms/LRGB: Fix potential resource leak.
  xcms/LRGB: Add a label for freeing property_return.
  Using freed pointer prop_ret
  Variable wd_array goes out of scope Value wd_array is overwritten
in wd_array = (XPointer*)realloc((char*)info_list-watch_data,
(((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count
+ 1) * 4U)))
  Using uninitialized value conv-state in call to function
close_converter

Erkki Seppälä (19):
  Variable fs not freed or pointed-to in function get_prop_name
  Pointer pBuf returned from fgets(buf, 256, stream) is never used
  Pointer pBuf returned from fgets(buf, 256, stream) is never used
  Using uninitialized value new
  Possible overrun of 8192 byte fixed size buffer buffer by copying
ext-name without length checking
  Variable colormap_ret goes out of scope
  Variable missing_list goes out of scope
  Variable colormap_ret goes out of scope
  Variable colormap_ret goes out of scope
  Variable colormap_ret goes out of scope
  Variable image goes out of scope
  Variable prop_name not freed or pointed-to in function strlen
  Variable table goes out of scope
  Tracked variable size was passed to a negative sink.
  Using uninitialized value error.resourceID in call to function
_XError
  Return value of XGetWindowProperty(im-core.display,
spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) /
4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_after_ret,
prop_ret) is not checked
  a negative value was passed to memcpy
  Cannot reach dead expression 0U inside statement if (1U +
(target_dir ? strl...
  Cannot reach dead expression 0U inside statement if (1U +
(target_dir ? strl...

 modules/im/ximcp/imLcLkup.c |4 
 modules/im/ximcp/imRm.c |4 
 modules/im/ximcp/imRmAttr.c |7 +--
 modules/im/ximcp/imTrX.c|   33 +
 modules/lc/def/lcDefConv.c  |2 +-
 modules/lc/gen/lcGenConv.c  |2 +-
 src/GetProp.c   |2 +-
 src/ImUtil.c|1 +
 src/XlibInt.c   |8 +---
 src/Xrm.c   |   10 +-
 src/xcms/LRGB.c |   25 ++---
 src/xcms/cmsColNm.c |4 ++--
 src/xcms/cmsProp.c  |   11 ++-
 src/xlibi18n/XDefaultOMIF.c |9 +
 src/xlibi18n/lcFile.c   |6 ++
 src/xlibi18n/lcGeneric.c|2 +-
 16 files changed, 78 insertions(+), 52 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 03/25] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used

[Erkki Seppälä]

Removed unused assignment

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index c7ad4fd..8518adf 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -651,7 +651,7 @@ ReadColornameDB(
  * Process lines between START_TOKEN to END_TOKEN
  */
 
-while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
/*
 * Found END_TOKEN so break out of for loop
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 02/25] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used

[Erkki Seppälä]

Removed unused assignment

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index 4164370..c7ad4fd 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -567,7 +567,7 @@ stringSectionSize(
return(XcmsFailure);
 }
 
-while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 01/25] [libx11] Variable fs not freed or pointed-to in function get_prop_name

[Erkki Seppälä]

Fixed a missing call to XFreeFont

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/XDefaultOMIF.c |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c
index bc6b1b9..bb3986a 100644
--- a/src/xlibi18n/XDefaultOMIF.c
+++ b/src/xlibi18n/XDefaultOMIF.c
@@ -398,7 +398,10 @@ get_font_name(
if (fs == NULL) return NULL;
 
prop_name = get_prop_name(dpy, fs);
-   if (prop_name == NULL) return NULL;
+   if (prop_name == NULL) {
+XFreeFont(dpy, fs);
+   return NULL;
+}
 
name = (char*) Xmalloc(strlen(prop_name) + 1);
if (name)
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 07/25] [libx11] Variable missing_list goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree and initializing missing_list with NULL

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index d62dfdb..ae053c9 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -313,7 +313,7 @@ _XimAttributeToValue(
INT16len = data[0];
char*base_name;
XFontSet rep = (XFontSet)NULL;
-   char**missing_list;
+   char**missing_list = NULL;
int  missing_count;
char*def_string;
 
@@ -347,6 +347,7 @@ _XimAttributeToValue(
}
 
Xfree(base_name);
+   Xfree(missing_list);
*((XFontSet *)value) = rep;
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 11/25] [libx11] Variable image goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/ImUtil.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/ImUtil.c b/src/ImUtil.c
index cd418d8..3164d43 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -372,6 +372,7 @@ XImage *XCreateImage (
if (image_bytes_per_line == 0) {
image-bytes_per_line = min_bytes_per_line;
} else if (image_bytes_per_line  min_bytes_per_line) {
+   Xfree(image);
return NULL;
} else {
image-bytes_per_line = image_bytes_per_line;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 05/25] [libx11] Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name without length checking

[Erkki Seppälä]

Fixed by using strncpy and explicitly terminating the buffer

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/XlibInt.c |7 ---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index d55c26a..52ccff1 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1438,9 +1438,10 @@ static int _XPrintDefaultError(
 ext  (ext-codes.major_opcode != event-request_code);
 ext = ext-next)
  ;
-   if (ext)
-   strcpy(buffer, ext-name);
-   else
+   if (ext) {
+   strncpy(buffer, ext-name, BUFSIZ);
+   buffer[BUFSIZ - 1] = '\0';
+} else
buffer[0] = '\0';
 }
 (void) fprintf(fp,  (%s)\n, buffer);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 12/25] [libx11] Variable prop_name not freed or pointed-to in function strlen

[Erkki Seppälä]

Instead of copying the value returned by get_prop_name and then releasing it, 
directly use the return value of get_prop_name, which allocates memory for the 
name.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/XDefaultOMIF.c |4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c
index bb3986a..f4f141c 100644
--- a/src/xlibi18n/XDefaultOMIF.c
+++ b/src/xlibi18n/XDefaultOMIF.c
@@ -403,9 +403,7 @@ get_font_name(
return NULL;
 }
 
-   name = (char*) Xmalloc(strlen(prop_name) + 1);
-   if (name)
-   strcpy(name, prop_name);
+   name = prop_name;
 
XFreeFont(dpy, fs);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 08/25] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index ae053c9..5035df5 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -957,6 +957,7 @@ _XimEncodePreeditValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 24/25] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...

[Erkki Seppälä]

Removed superfluous check for NULL target_dir; it is already handled
before this code.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index 21a546d..d7e375e 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 06/25] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index b6d1e12..d62dfdb 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -999,7 +999,7 @@ _XimEncodeStatusValue(
 XIMArg *p)
 {
 if (res-xrm_name == XrmStringToQuark(XNStdColormap)) {
-   XStandardColormap   *colormap_ret;
+   XStandardColormap   *colormap_ret = NULL;
int  count;
 
if (!(XGetRGBColormaps(ic-core.im-core.display,
@@ -1007,6 +1007,7 @@ _XimEncodeStatusValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 22/25] [libx11] Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_af

[Erkki Seppälä]

Checked return value of XGetWindowProperty and return false if it fails.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imTrX.c |   33 +
 1 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c
index 47c231e..edcaf08 100644
--- a/modules/im/ximcp/imTrX.c
+++ b/modules/im/ximcp/imTrX.c
@@ -377,14 +377,19 @@ _XimXGetReadData(
*ret_len  = (int)nitems;
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret,
-   prop_ret);
-   XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
-   XA_STRING, 8, PropModePrepend, prop_ret[length],
-   (nitems - length));
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4),
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems,
+  bytes_after_ret,
+  prop_ret) == Success) {
+   XChangeProperty(im-core.display, spec-lib_connect_wid, 
prop,
+   XA_STRING, 8, PropModePrepend, 
prop_ret[length],
+   (nitems - length));
+   } else {
+   return False;
+   }
}
} else {
(void)memcpy(buf, prop_ret, buf_len);
@@ -393,10 +398,14 @@ _XimXGetReadData(
 
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret, prop_ret);
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4),
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems,
+  bytes_after_ret, prop_ret) != Success) 
{
+   return False;
+   }
}
XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 23/25] [libx11] a negative value was passed to memcpy

[Erkki Seppälä]

Fixed by checking for the negative return value of _Xlcwctomb and
returning 0/XLookupNone in that case.

Unfortunately the other return values for *status don't fit into the
error (which appears to indicate some internal error or running out of
memory). The other valid status codes are XBufferOverflow,
XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of
these has a specific meaning attached.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imLcLkup.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c
index 80e4cfe..4891176 100644
--- a/modules/im/ximcp/imLcLkup.c
+++ b/modules/im/ximcp/imLcLkup.c
@@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char 
*buffer, int bytes,
unsigned char pattern = ic-private.local.brl_committed;
char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)];
ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern);
+   if(ret  0) {
+   if(status) *status = XLookupNone;
+   return(0);
+   }
if(ret  bytes) {
if(status) *status = XBufferOverflow;
return(ret);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 20/25] [libx11] Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

info_list-watch_data was being reallocated, but the return value of the 
reallocation was stored only into a local variable. This might cause some funky 
behavior and crashes.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/XlibInt.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index 52ccff1..3d13747 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -662,6 +662,7 @@ XAddConnectionWatch(
UnlockDisplay(dpy);
return 0;
}
+   info_list-watch_data = wd_array;
wd_array[dpy-watcher_count] = NULL;/* for cleanliness */
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 09/25] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRm.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c
index 2e2c31f..fa86979 100644
--- a/modules/im/ximcp/imRm.c
+++ b/modules/im/ximcp/imRm.c
@@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue(
ic-core.focus_window, colormap_ret,
count, (Atom)p-value)))
return False;
+
+   Xfree(colormap_ret);
 }
 return True;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 10/25] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRm.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c
index fa86979..3d09b81 100644
--- a/modules/im/ximcp/imRm.c
+++ b/modules/im/ximcp/imRm.c
@@ -2821,6 +2821,8 @@ _XimEncodeLocalPreeditValue(
ic-core.focus_window, colormap_ret,
count, (Atom)p-value)))
return False;
+
+   Xfree(colormap_ret);
 }
 return True;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 21/25] [libx11] Using uninitialized value conv-state in call to function close_converter

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

Fixed by zero'ing conv on allocation. Then close_converter works properly.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/lc/def/lcDefConv.c |2 +-
 modules/lc/gen/lcGenConv.c |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c
index 5860a79..12a4861 100644
--- a/modules/lc/def/lcDefConv.c
+++ b/modules/lc/def/lcDefConv.c
@@ -577,7 +577,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c
index 074a8d7..baac73a 100644
--- a/modules/lc/gen/lcGenConv.c
+++ b/modules/lc/gen/lcGenConv.c
@@ -2650,7 +2650,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 04/25] [libx11] Using uninitialized value new

[Erkki Seppälä]

Zero-initialized new

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcGeneric.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c
index 69ea97d..688a4cf 100644
--- a/src/xlibi18n/lcGeneric.c
+++ b/src/xlibi18n/lcGeneric.c
@@ -428,7 +428,7 @@ read_charset_define(
 char name[BUFSIZ];
 XlcCharSet charsetd;
 char **value;
-int num, new;
+int num, new = 0;
 XlcSide side = XlcUnknown;
 char *tmp;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 13/25] [libx11] Variable table goes out of scope

[Erkki Seppälä]

The NEWTABLE macro missed freeing its allocated memory on subsequent memory 
allocation errors. Added call to Xfree.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 21f0af3..3e68c37 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -842,8 +842,10 @@ static void PutEntry(
nprev = NodeBuckets(table); \
 } else { \
table-leaf = 1; \
-   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \
+   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\
+   Xfree(table); \
return; \
+} \
((LTable)table)-buckets = (VEntry *)nprev; \
 } \
 *nprev = (NTable)NULL; \
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 17/25] [libx11] xcms/LRGB: Add a label for freeing property_return.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

The rest of the code uses goto's to free memory allocated later
and prevent memory leaks, but there were several paths were
property_return was free'd just before a goto.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/LRGB.c |   26 ++
 1 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index c1606be..4853483 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  9) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 3;
break;
@@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  7) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 1;
break;
@@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  6) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 0;
break;
  default:
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
/*
@@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData(
}
}
} else {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
 #ifdef ALLDEBUG
@@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData(
 #endif /* ALLDEBUG */
 }
 
-Xfree ((char *)property_return);
-
 /* Free the old memory and use the new structure created. */
 LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData);
 
@@ -820,6 +811,9 @@ FreeRedTblElements:
 FreeRedTbl:
 Xfree((char *)pScreenData-pRedTbl);
 
+Free_property_return:
+Xfree ((char *)property_return);
+
 FreeSCCData:
 Xfree((char *)pScreenData);
 pPerScrnInfo-state = XcmsInitNone;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 16/25] [libx11] xcms/LRGB: Fix potential resource leak.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

property_return was not free'd if the allocation of pRedTbl failed.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/LRGB.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index d9168bd..c1606be 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
@@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 14/25] [libx11] Tracked variable size was passed to a negative sink.

[Erkki Seppälä]

Fixed the handling of the extremely unlikely situation of fstat failing

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 3e68c37..fbc8ad2 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -1596,6 +1596,12 @@ ReadInFile(_Xconst char *filename)
  */
 GetSizeOfFile(fd, size);
 
+/* There might have been a problem trying to stat a file */
+if (size == -1) {
+   close (fd);
+   return (char *)NULL;
+}
+
 if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */
close(fd);
return (char *)NULL;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 25/25] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...

[Erkki Seppälä]

Removed superfluous check for NULL target_dir; it is already handled
before this code.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index d7e375e..18756c1 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 19/25] [libx11] Using freed pointer prop_ret

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

In the case were a first call to XGetWindowProperty succeeds but the
initial value of len is smaller than the total length of the property,
prop_return is freed and another call XGWP is made. If that subsequent
call fails, unless the subsequent

  if (format_ret == 0 || nitems_ret == 0)

ends up returning XcmsFailure, the freed value of prop_ret from the
previous call to XGWP will be returned.

This patches changes the funcion to behavior to return XcmsFailure
if the call do XGetWindowProperty fails.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsProp.c |   11 ++-
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c
index 856ae84..9294cc7 100644
--- a/src/xcms/cmsProp.c
+++ b/src/xcms/cmsProp.c
@@ -121,11 +121,12 @@ _XcmsGetProperty(
 long len = 6516;
 unsigned long nitems_ret, after_ret;
 Atom atom_ret;
+int xgwp_ret;
 
-while (XGetWindowProperty (pDpy, w, property, 0, len, False,
-  XA_INTEGER, atom_ret, format_ret,
-  nitems_ret, after_ret,
-  (unsigned char **)prop_ret)) {
+while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+  XA_INTEGER, atom_ret, format_ret,
+  nitems_ret, after_ret,
+  (unsigned char **)prop_ret))) {
if (after_ret  0) {
len += nitems_ret * (format_ret  3);
XFree (prop_ret);
@@ -133,7 +134,7 @@ _XcmsGetProperty(
break;
}
 }
-if (format_ret == 0 || nitems_ret == 0) {
+if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) {
/* the property does not exist or is of an unexpected type */
return(XcmsFailure);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 00/25] Various fixes based on static analysis - remaining patches

[Erkki Seppälä]

Here are the remaining patches of the libx11 static analysis batch
that have not yet received feedback from the list. This batch has the
comments fixed so that the actual change is first, while the diagnosis
from the tool follows, thus making git shortlog more useful.

Next up, pull-request :).

Ander Conselvan de Oliveira (6):  
  property_return was free'd before and in the case the conditional is 
true, the call to XcmsGetProperty faile
  property_return was not free'd if the allocation of pRedTbl failed.
  The rest of the code uses goto's to free memory allocated later and 
prevent memory leaks, but there were sev
  Properly handle the return value of XGetWindowProperty by considering if 
after the loop as well.
  info_list-watch_data was being reallocated, but the return value of the 
reallocation was stored only into a loc
  Fixed by zero'ing conv on allocation. Then close_converter works properly.

Erkki Seppälä (19):
  Fixed a missing call to XFreeFont
  Removed unused assignment
  Removed unused assignment
  Zero-initialized new
  Fixed by using strncpy and explicitly terminating the buffer
  Fixed memory leak by adding Xfree
  Fixed memory leak by adding Xfree and initializing missing_list with NULL
  Fixed memory leak by adding Xfree
  Fixed memory leak by adding Xfree
  Fixed memory leak by adding Xfree
  Fixed memory leak by adding Xfree
  Instead of copying the value returned by get_prop_name and then releasing 
it, directly use the return value of g
  The NEWTABLE macro missed freeing its allocated memory on subsequent 
memory allocation errors. Added call to Xfr
  Fixed the handling of the extremely unlikely situation of fstat failing
  Initialize local variable
  Checked return value of XGetWindowProperty and return false if it fails.
  Fixed by negative value to memcpy by checking for the negative return 
value of _Xlcwctomb and returning 0/XLooku
  Removed superfluous check for NULL target_dir; it is already handled 
before this code.
  Removed superfluous check for NULL target_dir; it is already handled 
before this code.

 modules/im/ximcp/imLcLkup.c |4 
 modules/im/ximcp/imRm.c |4 
 modules/im/ximcp/imRmAttr.c |7 +--
 modules/im/ximcp/imTrX.c|   33 +
 modules/lc/def/lcDefConv.c  |2 +-
 modules/lc/gen/lcGenConv.c  |2 +-
 src/GetProp.c   |2 +-
 src/ImUtil.c|1 +
 src/XlibInt.c   |8 +---
 src/Xrm.c   |   10 +-
 src/xcms/LRGB.c |   25 ++---
 src/xcms/cmsColNm.c |4 ++--
 src/xcms/cmsProp.c  |   11 ++-
 src/xlibi18n/XDefaultOMIF.c |9 +
 src/xlibi18n/lcFile.c   |6 ++
 src/xlibi18n/lcGeneric.c|2 +-
 16 files changed, 78 insertions(+), 52 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 03/25] [libx11] Removed unused assignment

[Erkki Seppälä]

Pointer pBuf returned from fgets(buf, 256, stream) is never used

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index c7ad4fd..8518adf 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -651,7 +651,7 @@ ReadColornameDB(
  * Process lines between START_TOKEN to END_TOKEN
  */
 
-while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
/*
 * Found END_TOKEN so break out of for loop
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 02/25] [libx11] Removed unused assignment

[Erkki Seppälä]

Pointer pBuf returned from fgets(buf, 256, stream) is never used

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index 4164370..c7ad4fd 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -567,7 +567,7 @@ stringSectionSize(
return(XcmsFailure);
 }
 
-while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 13/25] [libx11] The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree.

[Erkki Seppälä]

Variable table goes out of scope

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 21f0af3..3e68c37 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -842,8 +842,10 @@ static void PutEntry(
nprev = NodeBuckets(table); \
 } else { \
table-leaf = 1; \
-   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \
+   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\
+   Xfree(table); \
return; \
+} \
((LTable)table)-buckets = (VEntry *)nprev; \
 } \
 *nprev = (NTable)NULL; \
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 01/25] [libx11] Fixed a missing call to XFreeFont

[Erkki Seppälä]

Variable fs not freed or pointed-to in function get_prop_name

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/XDefaultOMIF.c |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c
index bc6b1b9..bb3986a 100644
--- a/src/xlibi18n/XDefaultOMIF.c
+++ b/src/xlibi18n/XDefaultOMIF.c
@@ -398,7 +398,10 @@ get_font_name(
if (fs == NULL) return NULL;
 
prop_name = get_prop_name(dpy, fs);
-   if (prop_name == NULL) return NULL;
+   if (prop_name == NULL) {
+XFreeFont(dpy, fs);
+   return NULL;
+}
 
name = (char*) Xmalloc(strlen(prop_name) + 1);
if (name)
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 14/25] [libx11] Fixed the handling of the extremely unlikely situation of fstat failing

[Erkki Seppälä]

Tracked variable size was passed to a negative sink.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 3e68c37..fbc8ad2 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -1596,6 +1596,12 @@ ReadInFile(_Xconst char *filename)
  */
 GetSizeOfFile(fd, size);
 
+/* There might have been a problem trying to stat a file */
+if (size == -1) {
+   close (fd);
+   return (char *)NULL;
+}
+
 if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */
close(fd);
return (char *)NULL;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 09/25] [libx11] Fixed memory leak by adding Xfree

[Erkki Seppälä]

Variable colormap_ret goes out of scope

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRm.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c
index 2e2c31f..fa86979 100644
--- a/modules/im/ximcp/imRm.c
+++ b/modules/im/ximcp/imRm.c
@@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue(
ic-core.focus_window, colormap_ret,
count, (Atom)p-value)))
return False;
+
+   Xfree(colormap_ret);
 }
 return True;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 15/25] [libx11] property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty failed which means that property_return wasn't set so there is no need

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

Double free of pointer property_return in call to free

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/LRGB.c |1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index 2f7a4cc..d9168bd 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData(
 if (CorrectAtom == None ||
!_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom,
   format_return, nitems, nbytes_return, property_return)) {
-   Xfree ((char *)property_return);
goto FreeSCCData;
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 08/25] [libx11] Fixed memory leak by adding Xfree

[Erkki Seppälä]

Variable colormap_ret goes out of scope

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index ae053c9..5035df5 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -957,6 +957,7 @@ _XimEncodePreeditValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 11/25] [libx11] Fixed memory leak by adding Xfree

[Erkki Seppälä]

Variable image goes out of scope

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/ImUtil.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/ImUtil.c b/src/ImUtil.c
index cd418d8..3164d43 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -372,6 +372,7 @@ XImage *XCreateImage (
if (image_bytes_per_line == 0) {
image-bytes_per_line = min_bytes_per_line;
} else if (image_bytes_per_line  min_bytes_per_line) {
+   Xfree(image);
return NULL;
} else {
image-bytes_per_line = image_bytes_per_line;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 06/25] [libx11] Fixed memory leak by adding Xfree

[Erkki Seppälä]

Variable colormap_ret goes out of scope

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index b6d1e12..d62dfdb 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -999,7 +999,7 @@ _XimEncodeStatusValue(
 XIMArg *p)
 {
 if (res-xrm_name == XrmStringToQuark(XNStdColormap)) {
-   XStandardColormap   *colormap_ret;
+   XStandardColormap   *colormap_ret = NULL;
int  count;
 
if (!(XGetRGBColormaps(ic-core.im-core.display,
@@ -1007,6 +1007,7 @@ _XimEncodeStatusValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 05/25] [libx11] Fixed by using strncpy and explicitly terminating the buffer

[Erkki Seppälä]

Possible overrun of 8192 byte fixed size buffer buffer by copying ext-name 
without length checking

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/XlibInt.c |7 ---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index d55c26a..52ccff1 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1438,9 +1438,10 @@ static int _XPrintDefaultError(
 ext  (ext-codes.major_opcode != event-request_code);
 ext = ext-next)
  ;
-   if (ext)
-   strcpy(buffer, ext-name);
-   else
+   if (ext) {
+   strncpy(buffer, ext-name, BUFSIZ);
+   buffer[BUFSIZ - 1] = '\0';
+} else
buffer[0] = '\0';
 }
 (void) fprintf(fp,  (%s)\n, buffer);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 21/25] [libx11] Fixed by zero'ing conv on allocation. Then close_converter works properly.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

Using uninitialized value conv-state in call to function close_converter

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/lc/def/lcDefConv.c |2 +-
 modules/lc/gen/lcGenConv.c |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c
index 5860a79..12a4861 100644
--- a/modules/lc/def/lcDefConv.c
+++ b/modules/lc/def/lcDefConv.c
@@ -577,7 +577,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c
index 074a8d7..baac73a 100644
--- a/modules/lc/gen/lcGenConv.c
+++ b/modules/lc/gen/lcGenConv.c
@@ -2650,7 +2650,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 18/25] [libx11] Initialize local variable

[Erkki Seppälä]

Using uninitialized value error.resourceID in call to function _XError

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/GetProp.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/GetProp.c b/src/GetProp.c
index a80c19c..5d6e0b8 100644
--- a/src/GetProp.c
+++ b/src/GetProp.c
@@ -46,7 +46,7 @@ XGetWindowProperty(
 {
 xGetPropertyReply reply;
 register xGetPropertyReq *req;
-xError error;
+xError error = {0};
 
 LockDisplay(dpy);
 GetReq (GetProperty, req);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 04/25] [libx11] Zero-initialized new

[Erkki Seppälä]

Using uninitialized value new

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcGeneric.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c
index 69ea97d..688a4cf 100644
--- a/src/xlibi18n/lcGeneric.c
+++ b/src/xlibi18n/lcGeneric.c
@@ -428,7 +428,7 @@ read_charset_define(
 char name[BUFSIZ];
 XlcCharSet charsetd;
 char **value;
-int num, new;
+int num, new = 0;
 XlcSide side = XlcUnknown;
 char *tmp;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 20/25] [libx11] info_list-watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

Variable wd_array goes out of scope Value wd_array is overwritten in 
wd_array = (XPointer*)realloc((char*)info_list-watch_data, 
(((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count + 1) * 4U)))

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/XlibInt.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index 52ccff1..3d13747 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -662,6 +662,7 @@ XAddConnectionWatch(
UnlockDisplay(dpy);
return 0;
}
+   info_list-watch_data = wd_array;
wd_array[dpy-watcher_count] = NULL;/* for cleanliness */
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 22/25] [libx11] Checked return value of XGetWindowProperty and return false if it fails.

[Erkki Seppälä]

Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, 
prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, 
format_ret, nitems, bytes_after_ret, prop_ret) is not checked

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imTrX.c |   33 +
 1 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c
index 47c231e..edcaf08 100644
--- a/modules/im/ximcp/imTrX.c
+++ b/modules/im/ximcp/imTrX.c
@@ -377,14 +377,19 @@ _XimXGetReadData(
*ret_len  = (int)nitems;
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret,
-   prop_ret);
-   XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
-   XA_STRING, 8, PropModePrepend, prop_ret[length],
-   (nitems - length));
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4),
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems,
+  bytes_after_ret,
+  prop_ret) == Success) {
+   XChangeProperty(im-core.display, spec-lib_connect_wid, 
prop,
+   XA_STRING, 8, PropModePrepend, 
prop_ret[length],
+   (nitems - length));
+   } else {
+   return False;
+   }
}
} else {
(void)memcpy(buf, prop_ret, buf_len);
@@ -393,10 +398,14 @@ _XimXGetReadData(
 
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret, prop_ret);
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4),
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems,
+  bytes_after_ret, prop_ret) != Success) 
{
+   return False;
+   }
}
XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 17/25] [libx11] The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

xcms/LRGB: Add a label for freeing property_return.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/LRGB.c |   26 ++
 1 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index c1606be..4853483 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  9) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 3;
break;
@@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  7) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 1;
break;
@@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  6) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 0;
break;
  default:
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
/*
@@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData(
}
}
} else {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
 #ifdef ALLDEBUG
@@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData(
 #endif /* ALLDEBUG */
 }
 
-Xfree ((char *)property_return);
-
 /* Free the old memory and use the new structure created. */
 LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData);
 
@@ -820,6 +811,9 @@ FreeRedTblElements:
 FreeRedTbl:
 Xfree((char *)pScreenData-pRedTbl);
 
+Free_property_return:
+Xfree ((char *)property_return);
+
 FreeSCCData:
 Xfree((char *)pScreenData);
 pPerScrnInfo-state = XcmsInitNone;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 16/25] [libx11] property_return was not free'd if the allocation of pRedTbl failed.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

xcms/LRGB: Fix potential resource leak.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/LRGB.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index d9168bd..c1606be 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
@@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 12/25] [libx11] Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name.

[Erkki Seppälä]

Variable prop_name not freed or pointed-to in function strlen

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/XDefaultOMIF.c |4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c
index bb3986a..f4f141c 100644
--- a/src/xlibi18n/XDefaultOMIF.c
+++ b/src/xlibi18n/XDefaultOMIF.c
@@ -403,9 +403,7 @@ get_font_name(
return NULL;
 }
 
-   name = (char*) Xmalloc(strlen(prop_name) + 1);
-   if (name)
-   strcpy(name, prop_name);
+   name = prop_name;
 
XFreeFont(dpy, fs);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 25/25] [libx11] Removed superfluous check for NULL target_dir; it is already handled before this code.

[Erkki Seppälä]

Cannot reach dead expression 0U inside statement if (1U + (target_dir ? 
strl...

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index d7e375e..18756c1 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 24/25] [libx11] Removed superfluous check for NULL target_dir; it is already handled before this code.

[Erkki Seppälä]

Cannot reach dead expression 0U inside statement if (1U + (target_dir ? 
strl...

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index 21a546d..d7e375e 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 23/25] [libx11] Fixed by negative value to memcpy by checking for the negative return value of _Xlcwctomb and returning 0/XLookupNone in that case.

[Erkki Seppälä]

a negative value was passed to memcpy

Unfortunately the other return values for *status don't fit into the
error (which appears to indicate some internal error or running out of
memory). The other valid status codes are XBufferOverflow,
XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of
these has a specific meaning attached.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imLcLkup.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c
index 80e4cfe..4891176 100644
--- a/modules/im/ximcp/imLcLkup.c
+++ b/modules/im/ximcp/imLcLkup.c
@@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char 
*buffer, int bytes,
unsigned char pattern = ic-private.local.brl_committed;
char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)];
ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern);
+   if(ret  0) {
+   if(status) *status = XLookupNone;
+   return(0);
+   }
if(ret  bytes) {
if(status) *status = XBufferOverflow;
return(ret);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH v2 07/25] [libx11] Fixed memory leak by adding Xfree and initializing missing_list with NULL

[Erkki Seppälä]

Variable missing_list goes out of scope

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index d62dfdb..ae053c9 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -313,7 +313,7 @@ _XimAttributeToValue(
INT16len = data[0];
char*base_name;
XFontSet rep = (XFontSet)NULL;
-   char**missing_list;
+   char**missing_list = NULL;
int  missing_count;
char*def_string;
 
@@ -347,6 +347,7 @@ _XimAttributeToValue(
}
 
Xfree(base_name);
+   Xfree(missing_list);
*((XFontSet *)value) = rep;
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 11/32] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index ae053c9..5035df5 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -957,6 +957,7 @@ _XimEncodePreeditValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 19/32] [libx11] Variable entry tracked as NULL was dereferenced.

[Erkki Seppälä]

Check entry for non-nullness before dereferencing it

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xkb/XKB.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xkb/XKB.c b/src/xkb/XKB.c
index 42dba99..f926cb9 100644
--- a/src/xkb/XKB.c
+++ b/src/xkb/XKB.c
@@ -462,7 +462,7 @@ XkbKTMapEntryPtrentry = NULL;
 if (map_rtrn!=NULL) {
bzero(map_rtrn,type-mods.mask+1);
for (i=0;itype-map_count;i++) {
-   if (entry-active) {
+   if (entry  entry-active) {
map_rtrn[type-map[i].mods.mask]= type-map[i].level;
}
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 20/32] [libx11] Double free of pointer property_return in call to free

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

property_return was free'd before and in the case the conditional is
true, the call to XcmsGetProperty failed which means that
property_return wasn't set so there is no need to free it again.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/xcms/LRGB.c |1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index 2f7a4cc..d9168bd 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -573,7 +573,6 @@ LINEAR_RGB_InitSCCData(
 if (CorrectAtom == None ||
!_XcmsGetProperty (dpy, RootWindow(dpy, screenNumber), CorrectAtom,
   format_return, nitems, nbytes_return, property_return)) {
-   Xfree ((char *)property_return);
goto FreeSCCData;
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 16/32] [libx11] Variable table goes out of scope

[Erkki Seppälä]

The NEWTABLE macro missed freeing its allocated memory on subsequent memory 
allocation errors. Added call to Xfree.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 21f0af3..3e68c37 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -842,8 +842,10 @@ static void PutEntry(
nprev = NodeBuckets(table); \
 } else { \
table-leaf = 1; \
-   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * \
+   if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry * {\
+   Xfree(table); \
return; \
+} \
((LTable)table)-buckets = (VEntry *)nprev; \
 } \
 *nprev = (NTable)NULL; \
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 23/32] [libx11] Using uninitialized value error.resourceID in call to function _XError

[Erkki Seppälä]

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/GetProp.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/GetProp.c b/src/GetProp.c
index a80c19c..5d6e0b8 100644
--- a/src/GetProp.c
+++ b/src/GetProp.c
@@ -46,7 +46,7 @@ XGetWindowProperty(
 {
 xGetPropertyReply reply;
 register xGetPropertyReq *req;
-xError error;
+xError error = {0};
 
 LockDisplay(dpy);
 GetReq (GetProperty, req);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 21/32] [libx11] xcms/LRGB: Fix potential resource leak.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

property_return was not free'd if the allocation of pRedTbl failed.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/xcms/LRGB.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index d9168bd..c1606be 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -686,6 +686,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
@@ -723,6 +724,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
+   XFree ((char * ) property_return);
goto FreeSCCData;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 13/32] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRm.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c
index fa86979..3d09b81 100644
--- a/modules/im/ximcp/imRm.c
+++ b/modules/im/ximcp/imRm.c
@@ -2821,6 +2821,8 @@ _XimEncodeLocalPreeditValue(
ic-core.focus_window, colormap_ret,
count, (Atom)p-value)))
return False;
+
+   Xfree(colormap_ret);
 }
 return True;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 27/32] [libx11] Return value of XGetWindowProperty(im-core.display, spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) / 4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_af

[Erkki Seppälä]

Checked return value of XGetWindowProperty and return false if it fails.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imTrX.c |   33 +
 1 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c
index 47c231e..165832c 100644
--- a/modules/im/ximcp/imTrX.c
+++ b/modules/im/ximcp/imTrX.c
@@ -377,14 +377,19 @@ _XimXGetReadData(
*ret_len  = (int)nitems;
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret,
-   prop_ret);
-   XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
-   XA_STRING, 8, PropModePrepend, prop_ret[length],
-   (nitems - length));
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4), 
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems, 
+  bytes_after_ret, 
+  prop_ret) == Success) {
+   XChangeProperty(im-core.display, spec-lib_connect_wid, 
prop,
+   XA_STRING, 8, PropModePrepend, 
prop_ret[length],
+   (nitems - length));
+   } else {
+   return False;
+   }
}
} else {
(void)memcpy(buf, prop_ret, buf_len);
@@ -393,10 +398,14 @@ _XimXGetReadData(
 
if (bytes_after_ret  0) {
XFree(prop_ret);
-   XGetWindowProperty(im-core.display,
-   spec-lib_connect_wid, prop, 0L,
-   ((length + bytes_after_ret + 3)/ 4), True, AnyPropertyType,
-   type_ret, format_ret, nitems, bytes_after_ret, prop_ret);
+   if (XGetWindowProperty(im-core.display,
+  spec-lib_connect_wid, prop, 0L,
+  ((length + bytes_after_ret + 3)/ 4), 
+  True, AnyPropertyType,
+  type_ret, format_ret, nitems, 
+  bytes_after_ret, prop_ret) != Success) 
{
+   return False;
+   }
}
XChangeProperty(im-core.display, spec-lib_connect_wid, prop,
XA_STRING, 8, PropModePrepend, prop_ret[buf_len], len);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 24/32] [libx11] Using freed pointer prop_ret

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

In the case were a first call to XGetWindowProperty succeeds but the
initial value of len is smaller than the total length of the property,
prop_return is freed and another call XGWP is made. If that subsequent
call fails, unless the subsequent

  if (format_ret == 0 || nitems_ret == 0)

ends up returning XcmsFailure, the freed value of prop_ret from the
previous call to XGWP will be returned.

This patches changes the funcion to behavior to return XcmsFailure
if the call do XGetWindowProperty fails.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/xcms/cmsProp.c |   11 ++-
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/xcms/cmsProp.c b/src/xcms/cmsProp.c
index 856ae84..9294cc7 100644
--- a/src/xcms/cmsProp.c
+++ b/src/xcms/cmsProp.c
@@ -121,11 +121,12 @@ _XcmsGetProperty(
 long len = 6516;
 unsigned long nitems_ret, after_ret;
 Atom atom_ret;
+int xgwp_ret;
 
-while (XGetWindowProperty (pDpy, w, property, 0, len, False,
-  XA_INTEGER, atom_ret, format_ret,
-  nitems_ret, after_ret,
-  (unsigned char **)prop_ret)) {
+while ((xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+  XA_INTEGER, atom_ret, format_ret,
+  nitems_ret, after_ret,
+  (unsigned char **)prop_ret))) {
if (after_ret  0) {
len += nitems_ret * (format_ret  3);
XFree (prop_ret);
@@ -133,7 +134,7 @@ _XcmsGetProperty(
break;
}
 }
-if (format_ret == 0 || nitems_ret == 0) {
+if (xgwp_ret == 0 || format_ret == 0 || nitems_ret == 0) {
/* the property does not exist or is of an unexpected type */
return(XcmsFailure);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 18/32] [libx11] Tracked variable size was passed to a negative sink.

[Erkki Seppälä]

Fixed the handling of the extremely unlikely situation of fstat failing

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/Xrm.c |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/Xrm.c b/src/Xrm.c
index 3e68c37..b243d60 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -1595,6 +1595,12 @@ ReadInFile(_Xconst char *filename)
  * to the size returned by fstat.
  */
 GetSizeOfFile(fd, size);
+
+/* There might have been a problem trying to stat a file */
+if (size == -1) {
+   close (fd);
+   return (char *)NULL;
+}
 
 if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */
close(fd);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 30/32] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...

[Erkki Seppälä]

Removed superfluous check for NULL target_dir; it is already handled
before this code.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index 21a546d..d7e375e 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -785,8 +785,7 @@ _XlcLocaleLibDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 28/32] [libx11] Comparing array against NULL is not useful xkb-server-vmods != NULL

[Erkki Seppälä]

Removed superfluous comparison.

Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xkb/XKBMisc.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xkb/XKBMisc.c b/src/xkb/XKBMisc.c
index fc5ae5f..4aa1f73 100644
--- a/src/xkb/XKBMisc.c
+++ b/src/xkb/XKBMisc.c
@@ -619,7 +619,7 @@ KeySym *syms;
XkbApplyCompatMapToKey(xkb,key,changes);
 }
 
-if ((xkb-server-vmods!=NULL)(xkb-map-modmap!=NULL)(changes)
+if ((xkb-map-modmap!=NULL)(changes)
(changes-map.changed(XkbVirtualModMapMask|XkbModifierMapMask))) {
unsigned char   newVMods[XkbNumVirtualMods];
register  unsigned  bit,i;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 31/32] [libx11] Cannot reach dead expression 0U inside statement if (1U + (target_dir ? strl...

[Erkki Seppälä]

Removed superfluous check for NULL target_dir; it is already handled
before this code.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcFile.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/src/xlibi18n/lcFile.c b/src/xlibi18n/lcFile.c
index d7e375e..18756c1 100644
--- a/src/xlibi18n/lcFile.c
+++ b/src/xlibi18n/lcFile.c
@@ -685,8 +685,7 @@ _XlcLocaleDirName(char *dir_name, size_t dir_len, char 
*lc_name)
Xfree(name);
continue;
}
-   if ((1 + (target_dir ? strlen (target_dir) : 0) +
-strlen(locale.dir))  PATH_MAX) {
+   if ((1 + strlen (target_dir) + strlen(locale.dir))  PATH_MAX) {
sprintf(buf, %s/locale.dir, target_dir);
target_name = resolve_name(name, buf, RtoL);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 12/32] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRm.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imRm.c b/modules/im/ximcp/imRm.c
index 2e2c31f..fa86979 100644
--- a/modules/im/ximcp/imRm.c
+++ b/modules/im/ximcp/imRm.c
@@ -2841,6 +2841,8 @@ _XimEncodeLocalStatusValue(
ic-core.focus_window, colormap_ret,
count, (Atom)p-value)))
return False;
+
+   Xfree(colormap_ret);
 }
 return True;
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 10/32] [libx11] Variable missing_list goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree and initializing missing_list with NULL

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index d62dfdb..ae053c9 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -313,7 +313,7 @@ _XimAttributeToValue(
INT16len = data[0];
char*base_name;
XFontSet rep = (XFontSet)NULL;
-   char**missing_list;
+   char**missing_list = NULL;
int  missing_count;
char*def_string;
 
@@ -347,6 +347,7 @@ _XimAttributeToValue(
}
 
Xfree(base_name);
+   Xfree(missing_list);
*((XFontSet *)value) = rep;
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 15/32] [libx11] Variable prop_name not freed or pointed-to in function strlen

[Erkki Seppälä]

Instead of copying the value returned by get_prop_name and then releasing it, 
directly use the return value of get_prop_name, which allocates memory for the 
name.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/XDefaultOMIF.c |4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/src/xlibi18n/XDefaultOMIF.c b/src/xlibi18n/XDefaultOMIF.c
index bb3986a..f4f141c 100644
--- a/src/xlibi18n/XDefaultOMIF.c
+++ b/src/xlibi18n/XDefaultOMIF.c
@@ -403,9 +403,7 @@ get_font_name(
return NULL;
 }
 
-   name = (char*) Xmalloc(strlen(prop_name) + 1);
-   if (name)
-   strcpy(name, prop_name);
+   name = prop_name;
 
XFreeFont(dpy, fs);
 }
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 17/32] [libx11] Dereferencing possibly NULL str in call to function memcpy (Deref assumed on the basis of 'nonnull' parameter attribute.)

[Erkki Seppälä]

If _XkbGetReadBufferPtr returns NULL, goto BAILOUT

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xkb/XKBList.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/xkb/XKBList.c b/src/xkb/XKBList.c
index e1b4127..dec96b7 100644
--- a/src/xkb/XKBList.c
+++ b/src/xkb/XKBList.c
@@ -79,6 +79,8 @@ char *str;
if (!this-name)
goto BAILOUT;
str= (char *)_XkbGetReadBufferPtr(buf,wlen);
+   if (!str) 
+   goto BAILOUT;
memcpy(this-name,str,slen);
 }
 return first;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 29/32] [libx11] a negative value was passed to memcpy

[Erkki Seppälä]

Fixed by checking for the negative return value of _Xlcwctomb and
returning 0/XLookupNone in that case.

Unfortunately the other return values for *status don't fit into the
error (which appears to indicate some internal error or running out of
memory). The other valid status codes are XBufferOverflow,
XLookupNone, XLookupChars, XLookupKeySym, and XLookupBoth. Each of
these has a specific meaning attached.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imLcLkup.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/modules/im/ximcp/imLcLkup.c b/modules/im/ximcp/imLcLkup.c
index 80e4cfe..4891176 100644
--- a/modules/im/ximcp/imLcLkup.c
+++ b/modules/im/ximcp/imLcLkup.c
@@ -63,6 +63,10 @@ _XimLocalMbLookupString(XIC xic, XKeyEvent *ev, char 
*buffer, int bytes,
unsigned char pattern = ic-private.local.brl_committed;
char mb[XLC_PUBLIC(ic-core.im-core.lcd, mb_cur_max)];
ret = _Xlcwctomb(ic-core.im-core.lcd, mb, BRL_UC_ROW | pattern);
+   if(ret  0) {
+   if(status) *status = XLookupNone;
+   return(0);
+   }
if(ret  bytes) {
if(status) *status = XBufferOverflow;
return(ret);
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 25/32] [libx11] Variable wd_array goes out of scope Value wd_array is overwritten in wd_array = (XPointer*)realloc((char*)info_list-watch_data, (((dpy-watcher_count + 1) * 4U == 0U) ? 1U

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

info_list-watch_data was being reallocated, but the return value of the 
reallocation was stored only into a local variable. This might cause some funky 
behavior and crashes.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/XlibInt.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index 9f2745e..a78da9b 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -662,6 +662,7 @@ XAddConnectionWatch(
UnlockDisplay(dpy);
return 0;
}
+   info_list-watch_data = wd_array;
wd_array[dpy-watcher_count] = NULL;/* for cleanliness */
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 26/32] [libx11] Using uninitialized value conv-state in call to function close_converter

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

Fixed by zero'ing conv on allocation. Then close_converter works properly.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 modules/lc/def/lcDefConv.c |2 +-
 modules/lc/gen/lcGenConv.c |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/lc/def/lcDefConv.c b/modules/lc/def/lcDefConv.c
index 5860a79..12a4861 100644
--- a/modules/lc/def/lcDefConv.c
+++ b/modules/lc/def/lcDefConv.c
@@ -577,7 +577,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
diff --git a/modules/lc/gen/lcGenConv.c b/modules/lc/gen/lcGenConv.c
index 074a8d7..baac73a 100644
--- a/modules/lc/gen/lcGenConv.c
+++ b/modules/lc/gen/lcGenConv.c
@@ -2650,7 +2650,7 @@ create_conv(
 XlcConv conv;
 State state;
 
-conv = (XlcConv) Xmalloc(sizeof(XlcConvRec));
+conv = (XlcConv) Xcalloc(1, sizeof(XlcConvRec));
 if (conv == NULL)
return (XlcConv) NULL;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 22/32] [libx11] xcms/LRGB: Add a label for freeing property_return.

[Erkki Seppälä]

From: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com

The rest of the code uses goto's to free memory allocated later
and prevent memory leaks, but there were several paths were
property_return was free'd just before a goto.

Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi
Signed-off-by: Ander Conselvan de Oliveira 
ander.conselvan-de-olive...@nokia.com
---
 src/xcms/LRGB.c |   26 ++
 1 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index c1606be..4853483 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -594,8 +594,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  9) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 3;
break;
@@ -611,8 +610,7 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  7) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 1;
break;
@@ -627,14 +625,12 @@ LINEAR_RGB_InitSCCData(
 *  intensity2
 */
if (nitems  6) {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
count = 0;
break;
  default:
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
/*
@@ -686,8 +682,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType0(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -724,8 +719,7 @@ LINEAR_RGB_InitSCCData(
/* Red Intensity Table */
if (!(pScreenData-pRedTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl {
-   XFree ((char * ) property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
if (_XcmsGetTableType1(pScreenData-pRedTbl, format_return, pChar,
nitems) == XcmsFailure) {
@@ -762,8 +756,7 @@ LINEAR_RGB_InitSCCData(
}
}
} else {
-   Xfree ((char *)property_return);
-   goto FreeSCCData;
+   goto Free_property_return;
}
 
 #ifdef ALLDEBUG
@@ -789,8 +782,6 @@ LINEAR_RGB_InitSCCData(
 #endif /* ALLDEBUG */
 }
 
-Xfree ((char *)property_return);
-
 /* Free the old memory and use the new structure created. */
 LINEAR_RGB_FreeSCCData(pPerScrnInfo-screenData);
 
@@ -820,6 +811,9 @@ FreeRedTblElements:
 FreeRedTbl:
 Xfree((char *)pScreenData-pRedTbl);
 
+Free_property_return:
+Xfree ((char *)property_return);
+
 FreeSCCData:
 Xfree((char *)pScreenData);
 pPerScrnInfo-state = XcmsInitNone;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 32/32] [libx11] Cannot reach dead statement return NULL;

[Erkki Seppälä]

Removed superfluous check for NULL. name == NULL is already checked
at the function entry.

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xkb/XKBGAlloc.c |2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/src/xkb/XKBGAlloc.c b/src/xkb/XKBGAlloc.c
index 17d13be..a1cce94 100644
--- a/src/xkb/XKBGAlloc.c
+++ b/src/xkb/XKBGAlloc.c
@@ -696,8 +696,6 @@ register XkbPropertyPtr prop;
 }
 prop= geom-properties[geom-num_properties];
 prop-name= (char *)_XkbAlloc(strlen(name)+1);
-if (!name)
-   return NULL;
 strcpy(prop-name,name);
 prop-value= (char *)_XkbAlloc(strlen(value)+1);
 if (!value) {
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 00/31] Various fixes based on static analysis

[Erkki Seppälä]

Here is a bunch of fixes based on the findings of a static code
analysis tool.

Ander Conselvan de Oliveira (6):
  Double free of pointer property_return in call to free
  xcms/LRGB: Fix potential resource leak.
  xcms/LRGB: Add a label for freeing property_return.
  Using freed pointer prop_ret
  Variable wd_array goes out of scope Value wd_array is
overwritten in wd_array =
(XPointer*)realloc((char*)info_list-watch_data,
(((dpy-watcher_count + 1) * 4U == 0U) ? 1U : ((dpy-watcher_count
+ 1) * 4U)))
  Using uninitialized value conv-state in call to function
close_converter

Erkki Seppälä (26):
  Using freed pointer e
  Variable map goes out of scope
  Using uninitialized value p-modifiers
  Variable fs not freed or pointed-to in function get_prop_name
  Pointer pBuf returned from fgets(buf, 256, stream) is never used
  Pointer pBuf returned from fgets(buf, 256, stream) is never used
  Using uninitialized value new
  Possible overrun of 8192 byte fixed size buffer buffer by copying
ext-name without length checking
  Variable colormap_ret goes out of scope
  Variable missing_list goes out of scope
  Variable colormap_ret goes out of scope
  Variable colormap_ret goes out of scope
  Variable colormap_ret goes out of scope
  Variable image goes out of scope
  Variable prop_name not freed or pointed-to in function strlen
  Variable table goes out of scope
  Dereferencing possibly NULL str in call to function memcpy 
(Deref assumed on the basis of 'nonnull' parameter attribute.)
  Tracked variable size was passed to a negative sink.
  Variable entry tracked as NULL was dereferenced.
  Using uninitialized value error.resourceID in call to function
_XError
  Return value of XGetWindowProperty(im-core.display,
spec-lib_connect_wid, prop, 0L, (length + bytes_after_ret + 3UL) /
4UL, 1, 0UL, type_ret, format_ret, nitems, bytes_after_ret,
prop_ret) is not checked
  Comparing array against NULL is not useful xkb-server-vmods !=
NULL
  a negative value was passed to memcpy
  Cannot reach dead expression 0U inside statement if (1U +
(target_dir ? strl...
  Cannot reach dead expression 0U inside statement if (1U +
(target_dir ? strl...
  Cannot reach dead statement return NULL;

 modules/im/ximcp/imLcLkup.c  |4 
 modules/im/ximcp/imRm.c  |4 
 modules/im/ximcp/imRmAttr.c  |7 +--
 modules/im/ximcp/imThaiFlt.c |5 -
 modules/im/ximcp/imTrX.c |   33 +
 modules/lc/def/lcDefConv.c   |2 +-
 modules/lc/gen/lcGenConv.c   |2 +-
 src/GetProp.c|2 +-
 src/ImUtil.c |1 +
 src/KeyBind.c|5 -
 src/XlibInt.c|   12 +++-
 src/Xrm.c|   10 +-
 src/xcms/LRGB.c  |   25 ++---
 src/xcms/cmsColNm.c  |4 ++--
 src/xcms/cmsProp.c   |   11 ++-
 src/xkb/XKB.c|2 +-
 src/xkb/XKBGAlloc.c  |2 --
 src/xkb/XKBList.c|2 ++
 src/xkb/XKBMisc.c|2 +-
 src/xlibi18n/XDefaultOMIF.c  |9 +
 src/xlibi18n/lcFile.c|6 ++
 src/xlibi18n/lcGeneric.c |2 +-
 22 files changed, 92 insertions(+), 60 deletions(-)

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 01/32] [libx11] Using freed pointer e

[Erkki Seppälä]

Reordered code to first to do the comparison and then to release data

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/XlibInt.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index d55c26a..c385f4c 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -777,10 +777,10 @@ _XFreeEventCookies(Display *dpy)
 head = (struct stored_event**)dpy-cookiejar;
 
 DL_FOREACH_SAFE(*head, e, tmp) {
-XFree(e-ev.data);
-XFree(e);
 if (dpy-cookiejar == e)
 dpy-cookiejar = NULL;
+XFree(e-ev.data);
+XFree(e);
 }
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 02/32] [libx11] Variable map goes out of scope

[Erkki Seppälä]

Release modifiermap before returning

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imThaiFlt.c |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imThaiFlt.c b/modules/im/ximcp/imThaiFlt.c
index e0b3988..ca8c601 100644
--- a/modules/im/ximcp/imThaiFlt.c
+++ b/modules/im/ximcp/imThaiFlt.c
@@ -1268,9 +1268,12 @@ NumLockMask(Display *d)
 return 0;
 
 for (i = 0; i  8; i++) {
-if (map-modifiermap[map-max_keypermod * i] == numlock_keycode)
+if (map-modifiermap[map-max_keypermod * i] == numlock_keycode) {
+XFreeModifiermap(map);
 return 1  i;
+}
 }
+XFreeModifiermap(map);
 return 0;
 }
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 05/32] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used

[Erkki Seppälä]

Removed unused assignment

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index 4164370..c7ad4fd 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -567,7 +567,7 @@ stringSectionSize(
return(XcmsFailure);
 }
 
-while((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
break;
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 03/32] [libx11] Using uninitialized value p-modifiers

[Erkki Seppälä]

Smal fix by using calloc instead of Xmalloc

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/KeyBind.c |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/KeyBind.c b/src/KeyBind.c
index 6d80a02..5b78efc 100644
--- a/src/KeyBind.c
+++ b/src/KeyBind.c
@@ -46,6 +46,7 @@ in this Software without prior written authorization from The 
Open Group.
 #define XK_XKB_KEYS
 #include X11/keysymdef.h
 #include stdio.h
+#include stdlib.h
 
 #ifdef USE_OWN_COMPOSE
 #include imComp.h
@@ -996,13 +997,15 @@ XRebindKeysym (
 tmp = dpy-key_bindings;
 nb = sizeof(KeySym) * nm;
 
-if ((! (p = (struct _XKeytrans *) Xmalloc( sizeof(struct _XKeytrans ||
+/* using calloc to zero the contents of allocated structure */ 
+if ((! (p = (struct _XKeytrans *) calloc( 1, sizeof(struct _XKeytrans 
||
((! (p-string = (char *) Xmalloc( (unsigned) nbytes))) 
 (nbytes  0)) ||
((! (p-modifiers = (KeySym *) Xmalloc( (unsigned) nb))) 
 (nb  0))) {
if (p) {
if (p-string) Xfree(p-string);
+   /* without calloc, p-modifiers could end up being uninitialized */ 
if (p-modifiers) Xfree((char *) p-modifiers);
Xfree((char *) p);
}
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 06/32] [libx11] Pointer pBuf returned from fgets(buf, 256, stream) is never used

[Erkki Seppälä]

Removed unused assignment

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xcms/cmsColNm.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xcms/cmsColNm.c b/src/xcms/cmsColNm.c
index c7ad4fd..8518adf 100644
--- a/src/xcms/cmsColNm.c
+++ b/src/xcms/cmsColNm.c
@@ -651,7 +651,7 @@ ReadColornameDB(
  * Process lines between START_TOKEN to END_TOKEN
  */
 
-while ((pBuf = fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
+while ((fgets(buf, XCMSDB_MAXLINELEN, stream)) != NULL) {
if ((sscanf(buf, %s, token))  (strcmp(token, END_TOKEN) == 0)) {
/*
 * Found END_TOKEN so break out of for loop
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 09/32] [libx11] Variable colormap_ret goes out of scope

[Erkki Seppälä]

Fixed memory leak by adding Xfree

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 modules/im/ximcp/imRmAttr.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index b6d1e12..d62dfdb 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -999,7 +999,7 @@ _XimEncodeStatusValue(
 XIMArg *p)
 {
 if (res-xrm_name == XrmStringToQuark(XNStdColormap)) {
-   XStandardColormap   *colormap_ret;
+   XStandardColormap   *colormap_ret = NULL;
int  count;
 
if (!(XGetRGBColormaps(ic-core.im-core.display,
@@ -1007,6 +1007,7 @@ _XimEncodeStatusValue(
count, (Atom)p-value)))
return False;
 
+   XFree(colormap_ret);
 } else if (res-xrm_name == XrmStringToQuark(XNFontSet)) {
int   list_ret;
XFontStruct **struct_list;
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 07/32] [libx11] Using uninitialized value new

[Erkki Seppälä]

Zero-initialized new

Reviewed-by: Ander Conselvan de Oliveira ander.conselvan-de-olive...@nokia.com
Signed-off-by: Erkki Seppälä erkki.sepp...@vincit.fi
---
 src/xlibi18n/lcGeneric.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/xlibi18n/lcGeneric.c b/src/xlibi18n/lcGeneric.c
index 69ea97d..688a4cf 100644
--- a/src/xlibi18n/lcGeneric.c
+++ b/src/xlibi18n/lcGeneric.c
@@ -428,7 +428,7 @@ read_charset_define(
 char name[BUFSIZ];
 XlcCharSet charsetd;
 char **value;
-int num, new;
+int num, new = 0;
 XlcSide side = XlcUnknown;
 char *tmp;
 
-- 
1.7.0.4

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel