On Fri, Jun 11, 2010 at 02:26:57PM +1000, Ben Skeggs wrote: > From: Ben Skeggs <[email protected]> > > Without resetting the private's pointer to NULL, we can end up freeing > the struct twice: > > ==11188== Invalid free() / delete / delete[] > ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325) > ==11188== by 0x42D8A3: dixFreePrivates (privates.c:217) > ==11188== by 0x420CF6: main (main.c:319) > ==11188== Address 0x8d884a0 is 0 bytes inside a block of size 24 free'd > ==11188== at 0x4C24D72: free (vg_replace_malloc.c:325) > ==11188== by 0x4996A3: CursorCloseScreen (cursor.c:200) > ==11188== by 0x4C051B: AnimCurCloseScreen (animcur.c:125) > ==11188== by 0x420CCB: main (main.c:317) > ==11188== > > Signed-off-by: Ben Skeggs <[email protected]> > --- > xfixes/cursor.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/xfixes/cursor.c b/xfixes/cursor.c > index 41ba0fb..5c04231 100644 > --- a/xfixes/cursor.c > +++ b/xfixes/cursor.c > @@ -190,6 +190,7 @@ CursorCloseScreen (int index, ScreenPtr pScreen) > deleteCursorHideCountsForScreen(pScreen); > ret = (*pScreen->CloseScreen) (index, pScreen); > free(cs); > + SetCursorScreen(pScreen, NULL); > return ret; > } > > -- > 1.7.0.1
funnily enough, this isn't reproducible on all machines but the patch looks correct to me. Reviewed-by: Peter Hutterer <[email protected]> Cheers, Peter _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
