A potential Use-After-Free bug in miext/damage/damage.c
In the source file https://github.com/freedesktop/xorg-xserver/blob/master/miext/damage/damage.c , at Line 296, it will invoke the function DamageReportDamage, where pDamage->pendingDamage->data would be freed. At Line 301, it will invoke the function RegionEmpty, where pDamage->pendingDamage->data would be referenced. This would lead to use-after-free bug.
To see how pDamage->pendingDamage->data would be freed when invoking the function DamageReportDamage, please see the following code snippet. In the source file https://github.com/freedesktop/xorg-xserver/blob/master/miext/damage/damage.c , at Line 1947, the variable tmpRegion->data will point to the variable pDamageRegion->data. At Line 1932, tmpRegion->data would be free when calling to the function RegionUninit. Therefore, pDamageRegion->data will correspondingly be freed and return to its caller.
To see how pDamage->pendingDamage->data would be referenced when invoking the function RegionEmpty, please see the following code snippet.
Please have a check whether this is a true bug. Thanks.