andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

glamor: Fix use-after-free in glamor_destroy_textured_pixmap

Browse Source 
==25551== Invalid read of size 8
==25551==    at 0x85D5F2C: glamor_egl_destroy_pixmap_image (glamor_egl.c:527)
==25551==    by 0x85D7750: glamor_destroy_pixmap (glamor.c:235)
==25551==    by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278)
==25551==    by 0x5098F6: FreePicture (picture.c:1425)
==25551==    by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257)
==25551==    by 0x85D7B50: glamor_close_screen (glamor.c:586)
==25551==    by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734)
==25551==    by 0x4CFFC7: CursorCloseScreen (cursor.c:187)
==25551==    by 0x513A44: AnimCurCloseScreen (animcur.c:106)
==25551==    by 0x51529B: present_close_screen (present_screen.c:64)
==25551==    by 0x43CA83: dix_main (main.c:351)
==25551==    by 0x6CFAB44: (below main) (libc-start.c:287)
==25551==  Address 0x83dafa0 is 96 bytes inside a block of size 152 free'd
==25551==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==25551==    by 0x85D76B4: glamor_destroy_textured_pixmap (glamor.c:225)
==25551==    by 0x85D7750: glamor_destroy_pixmap (glamor.c:235)
==25551==    by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278)
==25551==    by 0x5098F6: FreePicture (picture.c:1425)
==25551==    by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257)
==25551==    by 0x85D7B50: glamor_close_screen (glamor.c:586)
==25551==    by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734)
==25551==    by 0x4CFFC7: CursorCloseScreen (cursor.c:187)
==25551==    by 0x513A44: AnimCurCloseScreen (animcur.c:106)
==25551==    by 0x51529B: present_close_screen (present_screen.c:64)
==25551==    by 0x43CA83: dix_main (main.c:351)

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Michel Dänzer 2014-12-11 16:50:37 +09:00 committed by Keith Packard
parent 913416b718
commit 45b333525e
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
glamor/glamor.c
View File

@ -221,11 +221,12 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
{
if (pixmap->refcnt == 1) {
glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap);
if (pixmap_priv != NULL)
glamor_pixmap_destroy_fbo(pixmap_priv);
if (pixmap_priv != NULL) {
#if GLAMOR_HAS_GBM
glamor_egl_destroy_pixmap_image(pixmap);
glamor_egl_destroy_pixmap_image(pixmap);
#endif
glamor_pixmap_destroy_fbo(pixmap_priv);
}
}
}