One of the malloc failure checks had a goto to the wrong spot in the
list of cleanup free() calls to unwind at the end, and was freeing
bits that hadn't been initialized/allocated yet, since they would be
stored in the struct that just failed to be allocated.
Error: Null pointer dereference (CWE 476)
Read from pointer that could be constant 'NULL'
at line 805 of /export/alanc/X.Org/sx86/lib/libX11/src/xcms/LRGB.c in
function 'LINEAR_RGB_InitSCCData'.
Pointer checked against constant 'NULL' at line 754 but does not
protect the dereference.
[ This bug was found by the Parfait bug checking tool.
For more information see http://research.sun.com/projects/parfait ]
Signed-off-by: Alan Coopersmith <[email protected]>
---
src/xcms/LRGB.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/xcms/LRGB.c b/src/xcms/LRGB.c
index 4e9f029..2f7a4cc 100644
--- a/src/xcms/LRGB.c
+++ b/src/xcms/LRGB.c
@@ -753,7 +753,7 @@ LINEAR_RGB_InitSCCData(
/* Blue Intensity Table */
if (!(pScreenData->pBlueTbl = (IntensityTbl *)
Xcalloc (1, sizeof(IntensityTbl)))) {
- goto FreeBlueTblElements;
+ goto FreeGreenTblElements;
}
if (_XcmsGetTableType1(pScreenData->pBlueTbl, format_return,
&pChar,
&nitems) == XcmsFailure) {
--
1.5.6.5
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
