From 446baf6b15b362a4d1b197c92533b42eb2677977 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 20:59:49 +0300
Subject: [PATCH] Xext/sync: avoid null dereference if SysCounterGetPrivate()
 returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817:

xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2664:9: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’

xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2677:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’

xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2767:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’

xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2800:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
---
 Xext/sync.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/Xext/sync.c b/Xext/sync.c
index 1ed7e3ac41..6bdbc72d11 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -2424,8 +2424,7 @@ IdleTimeBlockHandler(void *pCounter, void *wt)
 {
     SyncCounter *counter = pCounter;
     IdleCounterPriv *priv = SysCounterGetPrivate(counter);
-    if (!priv)
-        return;
+    BUG_RETURN(priv == NULL);
     int64_t *less = priv->value_less;
     int64_t *greater = priv->value_greater;
     int64_t idle, old_idle;
@@ -2516,8 +2515,7 @@ IdleTimeWakeupHandler(void *pCounter, int rc)
 {
     SyncCounter *counter = pCounter;
     IdleCounterPriv *priv = SysCounterGetPrivate(counter);
-    if (!priv)
-        return;
+    BUG_RETURN(priv == NULL);
     int64_t *less = priv->value_less;
     int64_t *greater = priv->value_greater;
     int64_t idle;
@@ -2551,8 +2549,7 @@ IdleTimeBracketValues(void *pCounter, int64_t *pbracket_less,
 {
     SyncCounter *counter = pCounter;
     IdleCounterPriv *priv = SysCounterGetPrivate(counter);
-    if (!priv)
-        return;
+    BUG_RETURN(priv == NULL);
     int64_t *less = priv->value_less;
     int64_t *greater = priv->value_greater;
     Bool registered = (less || greater);