[PATCH 1/2] shm: Fix use-after-free in ShmDestroyPixmap
Michel Dänzer
michel at daenzer.net
Sat Feb 14 03:33:18 PST 2015
On 14.02.2015 19:36, Chris Wilson wrote:
> We pass the pPixmap->drawable.id to the ShmDetachSegment function after
> the pPixmap is freed. Fortunately, we don't use the value inside
> ShmDetachSegment and can simply pass zero instead.
>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> ---
> Xext/shm.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Xext/shm.c b/Xext/shm.c
> index db9d474..52d9974 100644
> --- a/Xext/shm.c
> +++ b/Xext/shm.c
> @@ -260,7 +260,7 @@ ShmDestroyPixmap(PixmapPtr pPixmap)
> pScreen->DestroyPixmap = ShmDestroyPixmap;
>
> if (shmdesc)
> - ShmDetachSegment(shmdesc, pPixmap->drawable.id);
> + ShmDetachSegment(shmdesc, 0);
>
> return ret;
> }
> @@ -427,7 +427,7 @@ ProcShmAttach(ClientPtr client)
>
> /*ARGSUSED*/ static int
> ShmDetachSegment(void *value, /* must conform to DeleteType */
> - XID shmseg)
> + XID unused)
> {
> ShmDescPtr shmdesc = (ShmDescPtr) value;
> ShmDescPtr *prev;
>
It's a static function, so you can just remove the unused parameter.
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
More information about the xorg-devel
mailing list