GrabDevice() calls AllocGrab() which can fail and return NULL. This return value is not checked, and can cause NULL pointer dereferences.
Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- dix/events.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dix/events.c b/dix/events.c index 4aaa54c..2f0605e 100644 --- a/dix/events.c +++ b/dix/events.c @@ -5051,7 +5051,7 @@ ProcUngrabPointer(ClientPtr client) * @param other_mode GrabModeSync or GrabModeAsync * @param status Return code to be returned to the caller. * - * @returns Success or BadValue. + * @returns Success or BadValue or BadAlloc. */ int GrabDevice(ClientPtr client, DeviceIntPtr dev, @@ -5132,6 +5132,8 @@ GrabDevice(ClientPtr client, DeviceIntPtr dev, GrabPtr tempGrab; tempGrab = AllocGrab(NULL); + if (tempGrab == NULL) + return BadAlloc; tempGrab->next = NULL; tempGrab->window = pWin; -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
