2005-03-24 20:40:53

by Adrian Bunk

[permalink] [raw]
Subject: drivers/acpi/video.c: null pointer dereference

The Coverity checker found the following null pointer dereference in
drivers/acpi/video.c:

<-- snip -->

...
static int
acpi_video_switch_output(
...
{
...
struct acpi_video_device *dev=NULL;
...
list_for_each_safe(node, next, &video->video_device_list) {
struct acpi_video_device * dev = container_of(node, struct acpi_video_device, entry);
...
}
...
switch (event) {
case ACPI_VIDEO_NOTIFY_CYCLE:
case ACPI_VIDEO_NOTIFY_NEXT_OUTPUT:
acpi_video_device_set_state(dev, 0);
acpi_video_device_set_state(dev_next, 0x80000001);
break;
case ACPI_VIDEO_NOTIFY_PREV_OUTPUT:
acpi_video_device_set_state(dev, 0);
acpi_video_device_set_state(dev_prev, 0x80000001);
...

<-- snip -->


Two different variables of the same name within 40 lines of code are a
good indication that something's wrong...


The outer "dev" variable is never assigned any value different from
NULL.

acpi_video_device_set_state dereferences this variable.


cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed


2005-03-31 03:28:15

by Brown, Len

[permalink] [raw]
Subject: Re: drivers/acpi/video.c: null pointer dereference

On Thu, 2005-03-24 at 15:37, Adrian Bunk wrote:
> The Coverity checker found the following null pointer dereference in
> drivers/acpi/video.c:
>
> <-- snip -->
>
> ...
> static int
> acpi_video_switch_output(
> ...
> {
> ...
> struct acpi_video_device *dev=NULL;
> ...
> list_for_each_safe(node, next, &video->video_device_list) {
> struct acpi_video_device * dev = container_of(node,
> struct acpi_video_device, entry);
> ...
> }
> ...
> switch (event) {
> case ACPI_VIDEO_NOTIFY_CYCLE:
> case ACPI_VIDEO_NOTIFY_NEXT_OUTPUT:
> acpi_video_device_set_state(dev, 0);
> acpi_video_device_set_state(dev_next, 0x80000001);
> break;
> case ACPI_VIDEO_NOTIFY_PREV_OUTPUT:
> acpi_video_device_set_state(dev, 0);
> acpi_video_device_set_state(dev_prev, 0x80000001);
> ...
>
> <-- snip -->
>
>
> Two different variables of the same name within 40 lines of code are a
> good indication that something's wrong...
>
>
> The outer "dev" variable is never assigned any value different from
> NULL.
>
> acpi_video_device_set_state dereferences this variable.
>
>
> cu
> Adrian

Looks like we should do this:



Attachments:
video.patch (599.00 B)