hrev43446 adds 1 changeset to branch 'master' old head: 6ba5fa4d64c5cdda19404c9d8360d809d9546144 new head: b5cc636fa4ccd73498a0ac8d184ff192799d5d27 ---------------------------------------------------------------------------- b5cc636: Make a copy of the mode list as it might be realloced later. The fModes array is realloc'ed as needed when adding modes. Therefore the fModes pointer handed in to AddModes() becomes invalid once _MakeSpace() returns in that function causing a freed memory block to be used as input. To avoid that we make a copy of the base mode list and then use that to add the modes for each color space. [ Michael Lotz <mmlr@xxxxxxxx> ] ---------------------------------------------------------------------------- Revision: hrev43446 Commit: b5cc636fa4ccd73498a0ac8d184ff192799d5d27 URL: http://cgit.haiku-os.org/haiku/commit/?id=b5cc636 Author: Michael Lotz <mmlr@xxxxxxxx> Date: Fri Dec 9 15:00:35 2011 UTC ---------------------------------------------------------------------------- 1 files changed, 13 insertions(+), 4 deletions(-) .../accelerants/common/create_display_modes.cpp | 17 ++++++++++++--- ---------------------------------------------------------------------------- diff --git a/src/add-ons/accelerants/common/create_display_modes.cpp b/src/add-ons/accelerants/common/create_display_modes.cpp index a2916b3..83afcc5 100644 --- a/src/add-ons/accelerants/common/create_display_modes.cpp +++ b/src/add-ons/accelerants/common/create_display_modes.cpp @@ -331,17 +331,26 @@ ModeList::AddModes(const display_mode* modes, uint32 count) bool ModeList::CreateColorSpaces(const color_space* spaces, uint32 count) { - uint32 modeCount = fCount; + uint32 baseModeCount = fCount; + size_t baseModesSize = baseModeCount * sizeof(display_mode); + display_mode* baseModes = (display_mode*)malloc(baseModesSize); + if (baseModes == NULL) + return false; + + memcpy(baseModes, fModes, baseModesSize); for (uint32 i = 0; i < count; i++) { - if (i > 0 && !AddModes(fModes, modeCount)) + if (i > 0 && !AddModes(baseModes, baseModeCount)) { + free(baseModes); return false; + } - for (uint32 j = 0; j < modeCount; j++) { - fModes[j + fCount - modeCount].space = spaces[i]; + for (uint32 j = 0; j < baseModeCount; j++) { + fModes[j + fCount - baseModeCount].space = spaces[i]; } } + free(baseModes); return true; }