From 5493a67ec256d22a8a41597a345d8e1c54d6e335 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 6 Jan 2014 17:10:39 -0800
Subject: GrabDevice() needs to handle NULL return value from AllocGrab()

GrabDevice() calls AllocGrab() which can fail and return NULL.
This return value is not checked, and can cause NULL pointer dereferences.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/events.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'dix')

diff --git a/dix/events.c b/dix/events.c
index 4aaa54c85..2f0605ef5 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -5051,7 +5051,7 @@ ProcUngrabPointer(ClientPtr client)
  * @param other_mode GrabModeSync or GrabModeAsync
  * @param status Return code to be returned to the caller.
  *
- * @returns Success or BadValue.
+ * @returns Success or BadValue or BadAlloc.
  */
 int
 GrabDevice(ClientPtr client, DeviceIntPtr dev,
@@ -5132,6 +5132,8 @@ GrabDevice(ClientPtr client, DeviceIntPtr dev,
         GrabPtr tempGrab;
 
         tempGrab = AllocGrab(NULL);
+        if (tempGrab == NULL)
+            return BadAlloc;
 
         tempGrab->next = NULL;
         tempGrab->window = pWin;
-- 
cgit v1.2.3