A potential use-after-free bug in hw/xfree86/common/xf86xv.c
In the source file hw/xfree86/common/xf86xv.c, at Line 570, the variable pregWin->data could be assigned with the static variable RegionEmptyData by transitively invoking the function RegionCreate. At Line 582, the variable pCompositeClip->data would also be assigned with the same static variable RegionEmptyData, and thus pregWin->data would be alias with pCompositeClip->data. At Line 583, when invoking the function RegionCopy, the variable pCompositeClip->data would be freed (See the following code snippet in RegionCopy). Although pCompositeClip->data will be assigned with a new value, pregWin->data still points to a freed heap memory. Therefore, at Line 591, when it calls the function RegionDestroy using the variable pregWin, the variable pregWin->data will be dereferenced and this leads to a use-after-free bug. Relevant code snippets are as followings.