Comment 13 for bug 337608

I can't definitively tie either of those nulls to the affected code. However your sample code shows that a null pointer being passed into memcpy could indeed be the culprit.

If my guess that the mystery line is fbBlt(), this code seems to be doing a memcpy:

        if (!upsidedown)
            for (i = 0; i < height; i++)
                MEMCPY_WRAPPED(dst + i * dstStride, src + i * srcStride, width);
        else
            for (i = height - 1; i >= 0; i--)
                MEMCPY_WRAPPED(dst + i * dstStride, src + i * srcStride, width);

        return;

Interestingly, this was the last code change to this fbblt.c file, although you can see it was a long time ago:

commit ee02e647882a4be29e1130bd79904ee79ed6b802
Author: Aaron Plattner <email address hidden>
Date: Tue Aug 1 13:45:43 2006 -0700

    Wrap libwfb memory access.

    Use the READ and WRITE macros to wrap memory accesses that could be in video
    memory. Add MEMCPY_WRAPPED and MEMSET_WRAPPED macros to wrap memcpy and
    memset, respectively.

Hrm, this is a tough one. I think the next step is to set a breakpoint and step through the fbBlt code after triggering the error, and see where memcpy is getting the null pointer. Let me know if you'd be able/willing to do that; if not, then let's just push this bug upstream and see what they say...