[RFC][PATCH] dix/resource: fix use after free in resource code with DRI
Dave Airlie
airlied at redhat.com
Tue Jun 9 20:34:07 PDT 2009
LookupClientResourceComplex is used by DRI1 code to find and free a DRI
drawable in a callback, however when the DRI code returns this->value
is now pointing at freed memory. It seemed easiest to store the value
to a temporary and return it afterwards.
Another option might be a new FreeClientResourceComplex or one that
also returns the id, so we can free it using an alternative means.
found using valgrind, any comments?
---
dix/resource.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/dix/resource.c b/dix/resource.c
index 73bc3a9..e8bdfec 100644
--- a/dix/resource.c
+++ b/dix/resource.c
@@ -717,8 +717,10 @@ LookupClientResourceComplex(
for (i = 0; i < clientTable[client->index].buckets; i++) {
for (this = resources[i]; this; this = this->next) {
if (!type || this->type == type) {
- if((*func)(this->value, this->id, cdata))
- return this->value;
+ /* workaround func freeing the type as DRI1 does */
+ pointer value = this->value;
+ if((*func)(value, this->id, cdata))
+ return value;
}
}
}
--
1.6.2.2
More information about the xorg-devel
mailing list