From mboxrd@z Thu Jan  1 00:00:00 1970
From: bugzilla-daemon@freedesktop.org
Subject: [Bug 88882] hud_context.c: possible NULL-pointer dereference
Date: Fri, 30 Jan 2015 21:11:42 +0000
Message-ID: <bug-88882-502@http.bugs.freedesktop.org/>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1910080095=="
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from culpepper.freedesktop.org (unknown [131.252.210.165])
 by gabe.freedesktop.org (Postfix) with ESMTP id 6D2A96E877
 for <dri-devel@lists.freedesktop.org>; Fri, 30 Jan 2015 13:11:42 -0800 (PST)
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org


--===============1910080095==
Content-Type: multipart/alternative; boundary="1422652302.f3CAcadE0.27934"; charset="UTF-8"


--1422652302.f3CAcadE0.27934
Date: Fri, 30 Jan 2015 21:11:42 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"

https://bugs.freedesktop.org/show_bug.cgi?id=88882

            Bug ID: 88882
           Summary: hud_context.c: possible NULL-pointer dereference
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/Gallium/radeonsi
          Assignee: dri-devel@lists.freedesktop.org
          Reporter: xypron.glpk@gmx.de
        QA Contact: dri-devel@lists.freedesktop.org

In
mesa/src/gallium/auxiliary/hud/hud_context.c
we find the following code

      case ',':
         env++;
         y += height + hud->font.glyph_height * (pane->num_graphs + 2);

         if (pane && pane->num_graphs) {
            LIST_ADDTAIL(&pane->head, &hud->pane_list);
            pane = NULL;
         }
         break;

pane is checked for being NULL. So obviously we expect NULL as possible value.
But we use pane->num_graphs before the check. This is possibly a NULL-pointer
dereference.

The problem was indicated by cppcheck
http://cppcheck.sourceforge.net/

Best regards

Heinrich Schuchardt

-- 
You are receiving this mail because:
You are the assignee for the bug.

--1422652302.f3CAcadE0.27934
Date: Fri, 30 Jan 2015 21:11:42 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"

<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - hud_context.c: possible NULL-pointer dereference"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=88882">88882</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>hud_context.c: possible NULL-pointer dereference
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Drivers/Gallium/radeonsi
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dri-devel&#64;lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>xypron.glpk&#64;gmx.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>dri-devel&#64;lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>In
mesa/src/gallium/auxiliary/hud/hud_context.c
we find the following code

      case ',':
         env++;
         y += height + hud-&gt;font.glyph_height * (pane-&gt;num_graphs + 2);

         if (pane &amp;&amp; pane-&gt;num_graphs) {
            LIST_ADDTAIL(&amp;pane-&gt;head, &amp;hud-&gt;pane_list);
            pane = NULL;
         }
         break;

pane is checked for being NULL. So obviously we expect NULL as possible value.
But we use pane-&gt;num_graphs before the check. This is possibly a NULL-pointer
dereference.

The problem was indicated by cppcheck
<a href="http://cppcheck.sourceforge.net/">http://cppcheck.sourceforge.net/</a>

Best regards

Heinrich Schuchardt</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>

--1422652302.f3CAcadE0.27934--

--===============1910080095==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs
IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0
cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK

--===============1910080095==--