From 939ce0bae68b682b57675f65c901653c1a094ebb Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 1 Mar 2016 21:39:01 +0100
Subject: xv: fix double free in AddResource failure case

XvdiDestroyVideoNotifyList already frees the list if AddResource fails,
so don't do it twice.  And set tpn->client to NULL explicitly to avoid
confusing uninitialized memory with a valid value.

Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 Xext/xvmain.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Xext/xvmain.c b/Xext/xvmain.c
index 3a0263427..c9b11d4bb 100644
--- a/Xext/xvmain.c
+++ b/Xext/xvmain.c
@@ -800,10 +800,9 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
         if (!(tpn = malloc(sizeof(XvVideoNotifyRec))))
             return BadAlloc;
         tpn->next = NULL;
-        if (!AddResource(pDraw->id, XvRTVideoNotifyList, tpn)) {
-            free(tpn);
+        tpn->client = NULL;
+        if (!AddResource(pDraw->id, XvRTVideoNotifyList, tpn))
             return BadAlloc;
-        }
     }
     else {
         /* LOOK TO SEE IF ENTRY ALREADY EXISTS */
-- 
cgit v1.2.3