[PATCH] glx: Avoid use-after-free after drawableGone

Wed, 22 Sep 2010 05:32:44 -0700 

Becareful during list processing to keep valgrind quiet:

==2989== Invalid read of size 4
==2989==    at 0x48CE6B5: DrawableGone (glxext.c:168)
==2989==    by 0x809F401: FreeResource (resource.c:601)
==2989==    by 0x80845CE: ProcDestroyWindow (dispatch.c:733)
==2989==    by 0x8087D76: Dispatch (dispatch.c:432)
==2989==    by 0x8066439: main (main.c:291)
==2989==  Address 0x55a9c1c is 76 bytes inside a block of size 88 free'd
==2989==    at 0x4023B6A: free (vg_replace_malloc.c:366)
==2989==    by 0x48D9DD8: __glXDRIcontextDestroy (glxdri2.c:250)
==2989==    by 0x48CE1A0: __glXFreeContext (glxext.c:222)
==2989==    by 0x48CE786: DrawableGone (glxext.c:165)
==2989==    by 0x809F401: FreeResource (resource.c:601)
==2989==    by 0x80845CE: ProcDestroyWindow (dispatch.c:733)
==2989==    by 0x8087D76: Dispatch (dispatch.c:432)
==2989==    by 0x8066439: main (main.c:291)

Reported-by: Julien Cristau <jcris...@debian.org>
Signed-off-by: Chris Wilson <ch...@chris-wilson.co.uk>
Cc: Kristian Høgsberg <k...@bitplanet.net>
---
 glx/glxext.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/glx/glxext.c b/glx/glxext.c
index e203156..69ed24e 100644
--- a/glx/glxext.c
+++ b/glx/glxext.c
@@ -124,7 +124,7 @@ static int glxBlockClients;
 */
 static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
 {
-    __GLXcontext *c;
+    __GLXcontext *c, *tmp;
 
     /* If this drawable was created using glx 1.3 drawable
      * constructors, we added it as a glx drawable resource under both
@@ -137,7 +137,8 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
            FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
     }
 
-    for (c = glxAllContexts; c; c = c->next) {
+    for (c = glxAllContexts; c; c = tmp) {
+       tmp = c->next;
        if (c->isCurrent && (c->drawPriv == glxPriv || c->readPriv == glxPriv)) 
{
            int i;
 
@@ -160,15 +161,13 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
                    }
                }
            }
-
-           if (!c->idExists) {
-               __glXFreeContext(c);
-           }
        }
        if (c->drawPriv == glxPriv)
            c->drawPriv = NULL;
        if (c->readPriv == glxPriv)
            c->readPriv = NULL;
+       if (!c->idExists)
+           __glXFreeContext(c);
     }
 
     glxPriv->destroy(glxPriv);
-- 
1.7.1

_______________________________________________
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to