From 976ef43f95a372c7485ee51a7b1e07e13fbf972a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 16:04:50 -0700
Subject: [PATCH] Xext/sync: Avoid dereference of invalid pointer if malloc()
 failed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported incorrectly in #1817 as:

xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2843:12: danger: ‘priv’ leaks here; was allocated at [(30)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/29)

but the "leak" is really saving the pointer in an uninitalized pointer in
a structure that was already freed when the malloc of the SysCounterInfo
struct failed in SyncCreateSystemCounter(), because it returned the address
of the freed struct instead of NULL to indicate failure.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6034ce11b6cd31d42df0f5781f70d3073d91f95b)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
 Xext/sync.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Xext/sync.c b/Xext/sync.c
index d12bd3378..900858773 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -1004,7 +1004,7 @@ SyncCreateSystemCounter(const char *name,
         psci = malloc(sizeof(SysCounterInfo));
         if (!psci) {
             FreeResource(pCounter->sync.id, RT_NONE);
-            return pCounter;
+            return NULL;
         }
         pCounter->pSysCounterInfo = psci;
         psci->pCounter = pCounter;