From a2d0829531249e24dbca25fc20ed30a2bb2d8ed8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Thu, 12 Jul 2012 13:16:37 +0200
Subject: [PATCH] glx: Free DRI2 drawable reference to destroyed GLX drawable.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise the reference can lead to use after free in
__glXDRIinvalidateBuffers().

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50019

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
 glx/glxdri2.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index 909de706a..be5afbce4 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -106,6 +106,7 @@ struct __GLXDRIdrawable {
     int height;
     __DRIbuffer buffers[MAX_DRAWABLE_BUFFERS];
     int count;
+    XID dri2_id;
 };
 
 static void
@@ -114,6 +115,8 @@ __glXDRIdrawableDestroy(__GLXdrawable * drawable)
     __GLXDRIdrawable *private = (__GLXDRIdrawable *) drawable;
     const __DRIcoreExtension *core = private->screen->core;
 
+    FreeResource(private->dri2_id, FALSE);
+
     (*core->destroyDrawable) (private->driDrawable);
 
     __glXDrawableRelease(drawable);
@@ -670,8 +673,9 @@ __glXDRIscreenCreateDrawable(ClientPtr client,
     private->base.waitGL = __glXDRIdrawableWaitGL;
     private->base.waitX = __glXDRIdrawableWaitX;
 
-    if (DRI2CreateDrawable(client, pDraw, drawId,
-                           __glXDRIinvalidateBuffers, private)) {
+    if (DRI2CreateDrawable2(client, pDraw, drawId,
+                            __glXDRIinvalidateBuffers, private,
+                            &private->dri2_id)) {
         free(private);
         return NULL;
     }