[PATCH] glx: Avoid use-after-free after drawableGone

jamey at minilop.net jamey at minilop.net
Wed Sep 22 08:12:45 PDT 2010 

I don't know the code, but this looks pretty obvious.

Reviewed-by: Jamey Sharp <jamey at minilop.net>

On Wed, Sep 22, 2010 at 5:32 AM, Chris Wilson <chris at chris-wilson.co.uk> wrote:
> Becareful during list processing to keep valgrind quiet:
>
> ==2989== Invalid read of size 4
> ==2989==    at 0x48CE6B5: DrawableGone (glxext.c:168)
> ==2989==    by 0x809F401: FreeResource (resource.c:601)
> ==2989==    by 0x80845CE: ProcDestroyWindow (dispatch.c:733)
> ==2989==    by 0x8087D76: Dispatch (dispatch.c:432)
> ==2989==    by 0x8066439: main (main.c:291)
> ==2989==  Address 0x55a9c1c is 76 bytes inside a block of size 88 free'd
> ==2989==    at 0x4023B6A: free (vg_replace_malloc.c:366)
> ==2989==    by 0x48D9DD8: __glXDRIcontextDestroy (glxdri2.c:250)
> ==2989==    by 0x48CE1A0: __glXFreeContext (glxext.c:222)
> ==2989==    by 0x48CE786: DrawableGone (glxext.c:165)
> ==2989==    by 0x809F401: FreeResource (resource.c:601)
> ==2989==    by 0x80845CE: ProcDestroyWindow (dispatch.c:733)
> ==2989==    by 0x8087D76: Dispatch (dispatch.c:432)
> ==2989==    by 0x8066439: main (main.c:291)
>
> Reported-by: Julien Cristau <jcristau at debian.org>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Kristian Høgsberg <krh at bitplanet.net>
> ---
>  glx/glxext.c |   11 +++++------
>  1 files changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/glx/glxext.c b/glx/glxext.c
> index e203156..69ed24e 100644
> --- a/glx/glxext.c
> +++ b/glx/glxext.c
> @@ -124,7 +124,7 @@ static int glxBlockClients;
>  */
>  static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
>  {
> -    __GLXcontext *c;
> +    __GLXcontext *c, *tmp;
>
>     /* If this drawable was created using glx 1.3 drawable
>      * constructors, we added it as a glx drawable resource under both
> @@ -137,7 +137,8 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
>            FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
>     }
>
> -    for (c = glxAllContexts; c; c = c->next) {
> +    for (c = glxAllContexts; c; c = tmp) {
> +       tmp = c->next;
>        if (c->isCurrent && (c->drawPriv == glxPriv || c->readPriv == glxPriv)) {
>            int i;
>
> @@ -160,15 +161,13 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
>                    }
>                }
>            }
> -
> -           if (!c->idExists) {
> -               __glXFreeContext(c);
> -           }
>        }
>        if (c->drawPriv == glxPriv)
>            c->drawPriv = NULL;
>        if (c->readPriv == glxPriv)
>            c->readPriv = NULL;
> +       if (!c->idExists)
> +           __glXFreeContext(c);
>     }
>
>     glxPriv->destroy(glxPriv);
> --
> 1.7.1
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel

More information about the xorg-devel mailing list