glx: fix crash when freeing visuals

Don't set screen->num_vis to a value greater than the actual number of visuals. X.Org Bug #10809 <http://bugs.freedesktop.org/show_bug.cgi?id=10809>
2007-08-23 19:38:53 +02:00 · 2007-08-23 19:38:53 +02:00 · ff089e6cae
commit ff089e6cae
parent 943dd6ad99
1 changed files with 8 additions and 5 deletions
--- a/GL/glx/glxglcore.c
+++ b/GL/glx/glxglcore.c
@ -296,7 +296,7 @@ static void init_screen_visuals(__GLXMESAscreen *screen)
    __GLcontextModes *modes;
    XMesaVisual *pXMesaVisual;
    int *used;
-    int i, j, size;
+    int num_vis, j, size;

    /* Alloc space for the list of XMesa visuals */
    size = screen->base.numVisuals * sizeof(XMesaVisual);
@ -312,7 +312,7 @@ static void init_screen_visuals(__GLXMESAscreen *screen)
    used = (int *) xalloc(pScreen->numVisuals * sizeof(int));
    memset(used, 0, pScreen->numVisuals * sizeof(int));

-    i = 0;
+    num_vis = 0;
    for ( modes = screen->base.modes; modes != NULL; modes = modes->next ) {
 	const int vis_class = _gl_convert_to_x_visual_type( modes->visualType );
 	const int nplanes = (modes->rgbBits - modes->alphaBits);
@ -327,7 +327,8 @@ static void init_screen_visuals(__GLXMESAscreen *screen)
 		!used[j]) {

 		/* Create the XMesa visual */
-		pXMesaVisual[i] =
+                assert(num_vis < screen->base.numVisuals);
+		pXMesaVisual[num_vis] =
 		    XMesaCreateVisual(pScreen,
 				      &pVis[j],
 				      modes->rgbMode,
@ -364,13 +365,15 @@ static void init_screen_visuals(__GLXMESAscreen *screen)
 	    FatalError( "Matching visual found, but visualID still -1!\n" );
 	}

-	i++;
+	num_vis++;
    }

    xfree(used);

-    screen->num_vis = pScreen->numVisuals;
+    screen->num_vis = num_vis;
    screen->xm_vis = pXMesaVisual;
+
+    assert(screen->num_vis <= screen->base.numVisuals);
 }

 static __GLXscreen *