xserver: Branch 'master' - 3 commits

Tue Jun 23 17:48:02 PDT 2009

dix/resource.c      |   12 ++++++++----
 glx/glxext.c        |    2 +-
 glx/singlepix.c     |    1 +
 glx/singlepixswap.c |    1 +
 4 files changed, 11 insertions(+), 5 deletions(-)

New commits:
commit 07c36e4fdcd93df3d33bdab6cca4780ebc9c1f54
Author: Dave Airlie <airlied at redhat.com>
Date:   Wed Jun 10 13:33:47 2009 +1000

    dix/resource: fix use after free in resource code with DRI
    
    LookupClientResourceComplex is used by DRI1 code to find and free a DRI
    drawable in a callback, however when the DRI code returns this->value
    is now pointing at freed memory. It seemed easiest to store the value
    to a temporary and return it afterwards.
    
    Another option might be a new FreeClientResourceComplex or one that
    also returns the id, so we can free it using an alternative means.
    
    found using valgrind.
    
    amended along ajax's suggestions

diff --git a/dix/resource.c b/dix/resource.c
index 73bc3a9..d3641df 100644
--- a/dix/resource.c
+++ b/dix/resource.c
@@ -707,7 +707,8 @@ LookupClientResourceComplex(
     pointer cdata
 ){
     ResourcePtr *resources;
-    ResourcePtr this;
+    ResourcePtr this, next;
+    pointer value;
     int i;
 
     if (!client)
@@ -715,10 +716,13 @@ LookupClientResourceComplex(
 
     resources = clientTable[client->index].resources;
     for (i = 0; i < clientTable[client->index].buckets; i++) {
-        for (this = resources[i]; this; this = this->next) {
+        for (this = resources[i]; this; this = next) {
+	    next = this->next;
 	    if (!type || this->type == type) {
-		if((*func)(this->value, this->id, cdata))
-		    return this->value;
+		/* workaround func freeing the type as DRI1 does */
+		value = this->value;
+		if((*func)(value, this->id, cdata))
+		    return value;
 	    }
 	}
     }
commit 184deb9bc325eb7aa7eb7b7d4f98aa917f0269cb
Author: Dave Airlie <airlied at redhat.com>
Date:   Wed Jun 24 10:40:05 2009 +1000

    GLX: make function static.
    
    This function isn't called from anywhere else and I don't think it shuold be.

diff --git a/glx/glxext.c b/glx/glxext.c
index a571ec9..19d70d4 100644
--- a/glx/glxext.c
+++ b/glx/glxext.c
@@ -171,7 +171,7 @@ void __glXAddToContextList(__GLXcontext *cx)
     glxAllContexts = cx;
 }
 
-void __glXRemoveFromContextList(__GLXcontext *cx)
+static void __glXRemoveFromContextList(__GLXcontext *cx)
 {
     __GLXcontext *c, *prev;
 
commit 9d85b56078ec05da1369ca22930d8eb214c389db
Author: Dave Airlie <airlied at redhat.com>
Date:   Wed Jun 24 10:38:49 2009 +1000

    GLX: note the implicit flushes with ReadPixels in indirect contexts.
    
    This just notes the flush has occured when readpixels returns, and
    fixes the glean test.

diff --git a/glx/singlepix.c b/glx/singlepix.c
index 7b2cb4c..a0a6a79 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -91,6 +91,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
 	__GLX_SEND_HEADER();
 	__GLX_SEND_VOID_ARRAY(compsize);
     }
+    __GLX_NOTE_FLUSHED_CMDS(cx);
     return Success;
 }
 
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 143f204..a7febc9 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -102,6 +102,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
 	__GLX_SEND_HEADER();
 	__GLX_SEND_VOID_ARRAY(compsize);
     }
+    __GLX_NOTE_FLUSHED_CMDS(cx);
     return Success;
 }
 
