From 42e655de4d95cb108aec50efec6bbdb709bb13d7 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 10 Jul 2012 23:29:53 -0700
Subject: [PATCH] rrproviderproperty.c: free newly allocated prop in more error
 paths

Reported by parfait 1.0:

Error: Memory leak (CWE 401)
   Memory leak of pointer 'prop' allocated with RRCreateProviderProperty(property)
        at line 221 of randr/rrproviderproperty.c in function 'RRChangeProviderProperty'.
          'prop' allocated at line 155 with RRCreateProviderProperty(property).
          prop leaks when pending != 0 at line 161.

Error: Memory leak (CWE 401)
   Memory leak of pointer 'prop' allocated with RRCreateProviderProperty(property)
        at line 345 of randr/rrproviderproperty.c in function 'RRConfigureProviderProperty'.
          'prop' allocated at line 333 with RRCreateProviderProperty(property).
        at line 349 of randr/rrproviderproperty.c in function 'RRConfigureProviderProperty'.
          'prop' allocated at line 333 with RRCreateProviderProperty(property).

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
---
 randr/rrproviderproperty.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index e0a814ff8..ab601da9a 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -216,6 +216,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
         if (pending && pScrPriv->rrProviderSetProperty &&
             !pScrPriv->rrProviderSetProperty(provider->pScreen, provider,
                                            prop->propertyName, &new_value)) {
+            if (add)
+                RRDestroyProviderProperty(prop);
             free(new_value.data);
             return BadValue;
         }
@@ -342,12 +344,18 @@ RRConfigureProviderProperty(RRProviderPtr provider, Atom property,
     /*
      * ranges must have even number of values
      */
-    if (range && (num_values & 1))
+    if (range && (num_values & 1)) {
+        if (add)
+            RRDestroyProviderProperty(prop);
         return BadMatch;
+    }
 
     new_values = malloc(num_values * sizeof(INT32));
-    if (!new_values && num_values)
+    if (!new_values && num_values) {
+        if (add)
+            RRDestroyProviderProperty(prop);
         return BadAlloc;
+    }
     if (num_values)
         memcpy(new_values, values, num_values * sizeof(INT32));