From 3cd7892e911fcca5895612067f10233bdfbf11c4 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 30 Mar 2026 13:45:17 -0700
Subject: [PATCH] randr: handle -Wanalyzer-null-dereference in
 ProcRRGetOutputInfo()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../randr/rroutput.c:540:13:
 warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’

The NULL dereference was only theoretically possible if the sum of
the sizes wrapped around to 0, but this ensures a NULL dereference
won't happen even in that case.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2165>
---
 randr/rroutput.c | 57 +++++++++++++++++++++++++-----------------------
 1 file changed, 30 insertions(+), 27 deletions(-)

diff --git a/randr/rroutput.c b/randr/rroutput.c
index 0af9c47ac..e6312d322 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -467,9 +467,6 @@ ProcRRGetOutputInfo(ClientPtr client)
     unsigned long extraLen;
     ScreenPtr pScreen;
     rrScrPrivPtr pScrPriv;
-    RRCrtc *crtcs;
-    RRMode *modes;
-    RROutput *clones;
     char *name;
     int i;
     Bool leased;
@@ -534,36 +531,42 @@ ProcRRGetOutputInfo(ClientPtr client)
                      output->numClones + bytes_to_int32(rep.nameLength)) << 2);
 
         if (extraLen) {
+            RRCrtc *crtcs;
+            RRMode *modes;
+            RROutput *clones;
+
             rep.length += bytes_to_int32(extraLen);
             extra = calloc(1, extraLen);
             if (!extra)
                 return BadAlloc;
+
+            crtcs = (RRCrtc *) extra;
+            modes = (RRMode *) (crtcs + output->numCrtcs);
+            clones = (RROutput *) (modes + output->numModes + output->numUserModes);
+            name = (char *) (clones + output->numClones);
+
+            for (i = 0; i < output->numCrtcs; i++) {
+                crtcs[i] = output->crtcs[i]->id;
+                if (client->swapped)
+                    swapl(&crtcs[i]);
+            }
+            for (i = 0; i < output->numModes + output->numUserModes; i++) {
+                if (i < output->numModes)
+                    modes[i] = output->modes[i]->mode.id;
+                else
+                    modes[i] = output->userModes[i - output->numModes]->mode.id;
+                if (client->swapped)
+                    swapl(&modes[i]);
+            }
+            for (i = 0; i < output->numClones; i++) {
+                clones[i] = output->clones[i]->id;
+                if (client->swapped)
+                    swapl(&clones[i]);
+            }
         }
-        else
+        else {
             extra = NULL;
-
-        crtcs = (RRCrtc *) extra;
-        modes = (RRMode *) (crtcs + output->numCrtcs);
-        clones = (RROutput *) (modes + output->numModes + output->numUserModes);
-        name = (char *) (clones + output->numClones);
-
-        for (i = 0; i < output->numCrtcs; i++) {
-            crtcs[i] = output->crtcs[i]->id;
-            if (client->swapped)
-                swapl(&crtcs[i]);
-        }
-        for (i = 0; i < output->numModes + output->numUserModes; i++) {
-            if (i < output->numModes)
-                modes[i] = output->modes[i]->mode.id;
-            else
-                modes[i] = output->userModes[i - output->numModes]->mode.id;
-            if (client->swapped)
-                swapl(&modes[i]);
-        }
-        for (i = 0; i < output->numClones; i++) {
-            clones[i] = output->clones[i]->id;
-            if (client->swapped)
-                swapl(&clones[i]);
+            name = NULL;
         }
     }
     memcpy(name, output->name, output->nameLength);