From 3f05df5a6c5140dc3d44f35b9fb635cca8b682c1 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 20 Jul 2024 17:03:59 -0700 Subject: XRecordFreeState: avoid NULL dereference when called in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the client_info pointer is NULL (for instance, if we decided the number of entries would cause an integer overflow), then don't attempt to walk it to free the entries. Found by gcc 14.1: XRecord.c:513:31: warning: dereference of NULL ‘0’ [CWE-476] [-Wanalyzer-null-dereference] 513 | if (state->client_info[i]->ranges) { | ~~~~~~~~~~~~~~~~~~^~~ [...] | 452 | ret->client_info = client_inf; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) ‘client_inf’ is NULL [...] | 457 | XRecordFreeState(ret); | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (14) ...to here | | (15) calling ‘XRecordFreeState’ from ‘XRecordGetContext’ Signed-off-by: Alan Coopersmith Part-of: --- src/XRecord.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/XRecord.c b/src/XRecord.c index efa47bd..11d23f6 100644 --- a/src/XRecord.c +++ b/src/XRecord.c @@ -509,14 +509,14 @@ XRecordGetContext(Display *dpy, XRecordContext context, void XRecordFreeState(XRecordState *state) { - for (unsigned long i = 0; i < state->nclients; i++) { - if (state->client_info[i]->ranges) { - if (state->client_info[i]->ranges[0]) - Xfree(state->client_info[i]->ranges[0]); - Xfree(state->client_info[i]->ranges); - } - } if (state->client_info) { + for (unsigned long i = 0; i < state->nclients; i++) { + if (state->client_info[i]->ranges) { + if (state->client_info[i]->ranges[0]) + Xfree(state->client_info[i]->ranges[0]); + Xfree(state->client_info[i]->ranges); + } + } if (state->client_info[0]) Xfree(state->client_info[0]); Xfree(state->client_info); -- cgit v1.2.3