drm: fix the usage after free

For readdir_r(), the next directory entry is returned in caller-allocted
buffer (pointered by pent here).

https://bugs.freedesktop.org/show_bug.cgi?id=91704

Signed-off-by: Mathias Tillman <master.homer@gmail.com>
Signed-off-by: Jammy Zhou <Jammy.Zhou@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>

diff --git a/xf86drm.c b/xf86drm.c
index 5e02969..a7cc643 100644 (file)
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -2803,11 +2803,12 @@ static char *drmGetMinorNameForFD(int fd, int type)
 
        while (readdir_r(sysdir, pent, &ent) == 0 && ent != NULL) {
                if (strncmp(ent->d_name, name, len) == 0) {
+                       snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
+                                ent->d_name);
+
                        free(pent);
                        closedir(sysdir);
 
-                       snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
-                                ent->d_name);
                        return strdup(dev_name);
                }
        }