On Tue, Jul 17, 2018 at 10:12:55PM -0700, Keith Packard wrote: > Peter Hutterer <peter.hutte...@who-t.net> writes: > > > Control flow is: > > PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals) > > PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals) > > and writes those into the previously allocated array. > > > > This caused invalid reads/writes followed by eventually a double-free abort. > > > > Reproduced with xorg-integration-tests server test > > XineramaTest.ScreenCrossing/* (and a bunch of others). > > > > Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> > > Reviewed-by: Keith Packard <kei...@keithp.com> > > (I'd complain about the lack of NULL check, but the original code didn't > bother either)
I suspect our overall behaviour where malloc fails is somewhere between unpredictable and undefined. I don't think any of that code has ever been tested and right now it probably just means we fall over somewhere else than where it actually happened. Thanks for the quick review, much appreciated. To gitlab.freedesktop.org:xorg/xserver.git 1c7f34e99..93cafb082 master -> master Cheers, Peter _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel