Comment 13 for bug 705078

Perfect mario, that points to the cause of the crash:

#0 0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
        solid = 0x0
        src = 0x0

Code at this location is:

                 solid = uxa_acquire_solid(screen, src->pSourcePict);
                        FreePicture(src, 0);

                        src = solid;
                        src_pixmap = uxa_get_offscreen_pixmap(src->pDrawable,
                                                              &src_off_x, &src_off_y);

uxa_acquire_solid() can return 0 for all manner of different reasons, if it could not create a solid picture. Yet the return value isn't checked before dereferencing it. Looks like this code has been there for a while, and doesn't appear to have been fixed in the upstream codebase (at least, there's no null pointer check).