[PATCH 4/6] fb: Avoid installing terminal functions over pre-existing call chains

Wed May 28 00:14:02 PDT 2014

The fbWindow family of functions (Map, Unmap, Position and Destroy) are
all terminal functions, that is they do not chain up to earlier
extensions. This breaks those chains which leads to not only resource
leaks but also dereference of dangling pointers. One such issue arises
with fbScreenInit() breaking the earlier present_screen_init() and
causing the Xserver to die when a Window is closed after being used with
Present and fb:

==15808== Invalid read of size 4
==15808==    at 0x81A9226: dixGetPrivateAddr (privates.h:123)
==15808==    by 0x81A928C: dixGetPrivate (privates.h:137)
==15808==    by 0x81A92BE: present_window_priv (present_priv.h:143)
==15808==    by 0x81A92EA: present_free_event (present_event.c:35)
==15808==    by 0x80A9C85: doFreeResource (resource.c:873)
==15808==    by 0x80AA5F8: FreeClientResources (resource.c:1139)
==15808==    by 0x807BD5E: CloseDownClient (dispatch.c:3384)
==15808==    by 0x80740B5: Dispatch (dispatch.c:406)
==15808==    by 0x80816CD: dix_main (main.c:296)
==15808==    by 0x80D2FA1: main (stubmain.c:34)
==15808==  Address 0x60f38c8 is 24 bytes inside a block of size 168 free'd
==15808==    at 0x4007BCD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15808==    by 0x80A1A67: _dixFreeObjectWithPrivates (privates.c:538)
==15808==    by 0x80B5E0D: DeleteWindow (window.c:991)
==15808==    by 0x80A9C85: doFreeResource (resource.c:873)
==15808==    by 0x80AA5F8: FreeClientResources (resource.c:1139)
==15808==    by 0x807BD5E: CloseDownClient (dispatch.c:3384)
==15808==    by 0x80740B5: Dispatch (dispatch.c:406)
==15808==    by 0x80816CD: dix_main (main.c:296)
==15808==    by 0x80D2FA1: main (stubmain.c:34)

Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
---
 fb/fbscreen.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/fb/fbscreen.c b/fb/fbscreen.c
index b2b9739..9876ba7 100644
--- a/fb/fbscreen.c
+++ b/fb/fbscreen.c
@@ -106,11 +106,15 @@ fbSetupScreen(ScreenPtr pScreen, void *pbits, /* pointer to screen bitmap */
     pScreen->GetImage = fbGetImage;
     pScreen->GetSpans = fbGetSpans;
     pScreen->CreateWindow = fbCreateWindow;
-    pScreen->DestroyWindow = fbDestroyWindow;
-    pScreen->PositionWindow = fbPositionWindow;
+    if (pScreen->DestroyWindow == NULL)
+        pScreen->DestroyWindow = fbDestroyWindow;
+    if (pScreen->PositionWindow == NULL)
+        pScreen->PositionWindow = fbPositionWindow;
     pScreen->ChangeWindowAttributes = fbChangeWindowAttributes;
-    pScreen->RealizeWindow = fbMapWindow;
-    pScreen->UnrealizeWindow = fbUnmapWindow;
+    if (pScreen->RealizeWindow == NULL)
+        pScreen->RealizeWindow = fbMapWindow;
+    if (pScreen->UnrealizeWindow == NULL)
+        pScreen->UnrealizeWindow = fbUnmapWindow;
     pScreen->CopyWindow = fbCopyWindow;
     pScreen->CreatePixmap = fbCreatePixmap;
     pScreen->DestroyPixmap = fbDestroyPixmap;
-- 
2.0.0.rc2

