From 284ad8e473fd70db19237d979e609cc610f3e808 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 12 Oct 2024 16:12:13 -0700 Subject: [PATCH] Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL The comments in that function say "This only happens if master is a slave device. don't do that" but static analysis doesn't respect that. Found by Oracle Parfait 13.3: Null pointer dereference [null-pointer-deref]: Read from null pointer XTestptr at line 274 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer introduced at line 691 of Xext/xtest.c in function 'GetXTestDevice'. Function GetXTestDevice may return constant 'NULL' at line 691, called at line 273 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer dereference [null-pointer-deref]: Read from null pointer XTestkeybd at line 279 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer introduced at line 691 of Xext/xtest.c in function 'GetXTestDevice'. Function GetXTestDevice may return constant 'NULL' at line 691, called at line 278 of Xi/xichangehierarchy.c in function 'remove_master'. Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.") Signed-off-by: Alan Coopersmith Part-of: --- Xi/xichangehierarchy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c index 09dde9de7..a6e3171ee 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c @@ -263,11 +263,13 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) goto unwind; XTestptr = GetXTestDevice(ptr); + BUG_RETURN_VAL(XTestptr == NULL, BadDevice); rc = dixLookupDevice(&XTestptr, XTestptr->id, client, DixDestroyAccess); if (rc != Success) goto unwind; XTestkeybd = GetXTestDevice(keybd); + BUG_RETURN_VAL(XTestkeybd == NULL, BadDevice); rc = dixLookupDevice(&XTestkeybd, XTestkeybd->id, client, DixDestroyAccess); if (rc != Success) goto unwind;