dix/resource: fix use after free in resource code with DRI
LookupClientResourceComplex is used by DRI1 code to find and free a DRI drawable in a callback, however when the DRI code returns this->value is now pointing at freed memory. It seemed easiest to store the value to a temporary and return it afterwards. Another option might be a new FreeClientResourceComplex or one that also returns the id, so we can free it using an alternative means. found using valgrind. amended along ajax's suggestions
This commit is contained in:
Dave Airlie
parent
184deb9bc3
commit
07c36e4fdc
|
|
@ -707,7 +707,8 @@ LookupClientResourceComplex(
|
|||
pointer cdata
|
||||
){
|
||||
ResourcePtr *resources;
|
||||
ResourcePtr this;
|
||||
ResourcePtr this, next;
|
||||
pointer value;
|
||||
int i;
|
||||
|
||||
if (!client)
|
||||
|
|
@ -715,10 +716,13 @@ LookupClientResourceComplex(
|
|||
|
||||
resources = clientTable[client->index].resources;
|
||||
for (i = 0; i < clientTable[client->index].buckets; i++) {
|
||||
for (this = resources[i]; this; this = this->next) {
|
||||
for (this = resources[i]; this; this = next) {
|
||||
next = this->next;
|
||||
if (!type || this->type == type) {
|
||||
if((*func)(this->value, this->id, cdata))
|
||||
return this->value;
|
||||
/* workaround func freeing the type as DRI1 does */
|
||||
value = this->value;
|
||||
if((*func)(value, this->id, cdata))
|
||||
return value;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user