From 5406ddd003c95e2fcbb0411a7afff4daaa9b59f9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 12 Oct 2024 16:38:55 -0700
Subject: [PATCH] render: avoid NULL pointer dereference if PictureFindVisual
 returns NULL

Found by Oracle Parfait 13.3:
   Null pointer dereference [null-pointer-deref]:
      Read from null pointer pVisual
        at line 257 of dix/colormap.c in function 'CreateColormap'.
          Null pointer introduced at line 412 of render/picture.c in
	   function 'PictureFindVisual'.
          Constant 'NULL' passed into function CreateColormap, argument
	   pVisual, from call at line 431 in function
	   'PictureInitIndexedFormat'.
          Function PictureFindVisual may return constant 'NULL' at
	   line 412, called at line 429.

Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7af077dd2f939b76e7d6ba84250368b6649fb777)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
---
 render/picture.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/render/picture.c b/render/picture.c
index 2be4b1954..d08f30a8a 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -427,6 +427,9 @@ PictureInitIndexedFormat(ScreenPtr pScreen, PictFormatPtr format)
     else {
         VisualPtr pVisual = PictureFindVisual(pScreen, format->index.vid);
 
+        if (pVisual == NULL)
+            return FALSE;
+
         if (CreateColormap(FakeClientID(0), pScreen, pVisual,
                            &format->index.pColormap, AllocNone, 0)
             != Success)