[PATCH 7/9] dri2: Send events only to known clients

Christopher James Halse Rogers christopher.halse.rogers at canonical.com
Thu Feb 3 18:34:10 PST 2011 

On Thu, 2011-02-03 at 19:48 +0200, Pauli wrote:
> From: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
> 
> If client disconnects and new client gets same id DRI2 events may end to
> wrong client. DRI2 reference list can be checked to see if the client
> still owns the DRI2Drawable.
> 
> Signed-off-by: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
> ---
>  hw/xfree86/dri2/dri2.c |   25 +++++++++++++++++--------
>  1 files changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
> index b50206e..12c1f72 100644
> --- a/hw/xfree86/dri2/dri2.c
> +++ b/hw/xfree86/dri2/dri2.c
> @@ -255,7 +255,8 @@ DRI2LookupClientDrawableRef(DRI2DrawablePtr pPriv, ClientPtr client, XID id)
>      DRI2DrawableRefPtr ref;
>  
>      list_for_each_entry(ref, &pPriv->reference_list, link) {
> -	if (CLIENT_ID(ref->dri2_id) == client->index && ref->id == id)
> +	if (CLIENT_ID(ref->dri2_id) == client->index &&

If the client has gone then this isn't this a potential use-after-free?

> +		(id == 0 || ref->id == id))
>  	    return ref;
>      }
>      return NULL;
> @@ -739,21 +740,24 @@ void
>  DRI2WaitMSCComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
>  		    unsigned int tv_sec, unsigned int tv_usec)
>  {
> +    DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
> +    ClientPtr blockedClient = pPriv->blockedClient;
> +
> +    pPriv->blockedClient = NULL;
> +    pPriv->blockedOnMsc = FALSE;
>      pPriv->refcnt--;
>  
> -    if (pPriv->refcnt == 0) {
> -	DRI2DrawableGone(pPriv, 0);
> +    if (ref == NULL) {
> +	if (pPriv->refcnt == 0)
> +	    DRI2DrawableGone(pPriv, 0);
>  	return;
>      }
>  
>      ProcDRI2WaitMSCReply(client, ((CARD64)tv_sec * 1000000) + tv_usec,
>  			 frame, pPriv->swap_count);
>  
> -    if (pPriv->blockedClient)
> -	AttendClient(pPriv->blockedClient);
> -
> -    pPriv->blockedClient = NULL;
> -    pPriv->blockedOnMsc = FALSE;
> +    if (blockedClient)
> +	AttendClient(blockedClient);
>  }
>  
>  static void
> @@ -806,6 +810,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
>  		   DRI2SwapEventPtr swap_complete, void *swap_data)
>  {
>      DRI2SwapCompleteDataPtr pSwapData = swap_data;
> +    DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
>      DrawablePtr     pDraw = pPriv->drawable;
>      CARD64          ust = 0;
>  
> @@ -813,6 +818,9 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
>      pPriv->swap_count++;
>      pPriv->refcnt--;
>  
> +    if (ref == NULL)
> +	goto out;
> +
>      if (pDraw) {
>  	BoxRec          box;
>  	RegionRec       region;
> @@ -836,6 +844,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
>  
>      DRI2WakeClient(client, pPriv, frame, tv_sec, tv_usec);
>  
> +out:
>      free_swap_complete_data(pPriv, pSwapData);
>  
>      if (pPriv->refcnt == 0)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110204/8a757c69/attachment-0001.pgp>

More information about the xorg-devel mailing list