If the client passed a size <= 0 to shm_create_pool, it would
go to err_free, which wouldn't close the fd, and thus leave it opened.
We can also move the size check before the struct wl_shm_pool
malloc, so in case the client passes a wrong size, it won't
do an unnecessary malloc and then free.
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
{
struct wl_shm_pool *pool;
- pool = malloc(sizeof *pool);
- if (pool == NULL) {
- wl_client_post_no_memory(client);
- goto err_close;
- }
-
if (size <= 0) {
wl_resource_post_error(resource,
WL_SHM_ERROR_INVALID_STRIDE,
"invalid size (%d)", size);
- goto err_free;
+ goto err_close;
+ }
+
+ pool = malloc(sizeof *pool);
+ if (pool == NULL) {
+ wl_client_post_no_memory(client);
+ goto err_close;
}
pool->refcount = 1;
wl_resource_post_error(resource,
WL_SHM_ERROR_INVALID_FD,
"failed mmap fd %d", fd);
- goto err_close;
+ goto err_free;
}
close(fd);
return;
-err_close:
- close(fd);
err_free:
free(pool);
+err_close:
+ close(fd);
}
static const struct wl_shm_interface shm_interface = {