From 2f0abd7d690c3bcce2a80c093a0880f43e56d8cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= <krh@bitplanet.net>
Date: Thu, 23 Sep 2010 09:04:11 -0400
Subject: [PATCH] glx: Fix use after free in DrawableGone
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(note that nearly identical patches were proposed by Kristian and Chris)

Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reported-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
 glx/glxext.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/glx/glxext.c b/glx/glxext.c
index e203156e4..f5ebe4f7e 100644
--- a/glx/glxext.c
+++ b/glx/glxext.c
@@ -124,7 +124,7 @@ static int glxBlockClients;
 */
 static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
 {
-    __GLXcontext *c;
+    __GLXcontext *c, *next;
 
     /* If this drawable was created using glx 1.3 drawable
      * constructors, we added it as a glx drawable resource under both
@@ -137,7 +137,8 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
 	    FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE);
     }
 
-    for (c = glxAllContexts; c; c = c->next) {
+    for (c = glxAllContexts; c; c = next) {
+	next = c->next;
 	if (c->isCurrent && (c->drawPriv == glxPriv || c->readPriv == glxPriv)) {
 	    int i;
 
@@ -160,15 +161,13 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid)
 		    }
 		}
 	    }
-
-	    if (!c->idExists) {
-		__glXFreeContext(c);
-	    }
 	}
 	if (c->drawPriv == glxPriv)
 	    c->drawPriv = NULL;
 	if (c->readPriv == glxPriv)
 	    c->readPriv = NULL;
+	if (!c->idExists && !c->isCurrent)
+	    __glXFreeContext(c);
     }
 
     glxPriv->destroy(glxPriv);