[PATCH 1/2] shm: Fix use-after-free in ShmDestroyPixmap
Chris Wilson
chris at chris-wilson.co.uk
Sat Feb 14 02:36:44 PST 2015
We pass the pPixmap->drawable.id to the ShmDetachSegment function after
the pPixmap is freed. Fortunately, we don't use the value inside
ShmDetachSegment and can simply pass zero instead.
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
---
Xext/shm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Xext/shm.c b/Xext/shm.c
index db9d474..52d9974 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -260,7 +260,7 @@ ShmDestroyPixmap(PixmapPtr pPixmap)
pScreen->DestroyPixmap = ShmDestroyPixmap;
if (shmdesc)
- ShmDetachSegment(shmdesc, pPixmap->drawable.id);
+ ShmDetachSegment(shmdesc, 0);
return ret;
}
@@ -427,7 +427,7 @@ ProcShmAttach(ClientPtr client)
/*ARGSUSED*/ static int
ShmDetachSegment(void *value, /* must conform to DeleteType */
- XID shmseg)
+ XID unused)
{
ShmDescPtr shmdesc = (ShmDescPtr) value;
ShmDescPtr *prev;
--
2.1.4
More information about the xorg-devel
mailing list