dix: Clear any existing selections before initializing privates

If there is a selection left over from a previous execution of the
main loop, and that selection has privates allocated for it, the X
server will crash. This is because dixResetPrivates() resets the
privates refcounts to zero without accounting for the reference held
by the selection object. When the selection is then deleted in
InitSelections() after the call to dixResetPrivates(), the refcount
for its privates type goes negative and bad things happen.

To fix this, we should delete any existing selections before calling
dixResetPrivates(). This will properly release the selection's
privates and avoid the crash.

A more thorough description of the problem and a test case to
reproduce the crash is available at a previous mail:
  "Negative Selection devPrivates refcount?"
  By Andrew Eikum to xorg-devel on 10 Dec 2013
  http://lists.freedesktop.org/archives/xorg-devel/2013-December/039492.html

Signed-off-by: Andrew Eikum <aeikum@codeweavers.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/dix/main.c b/dix/main.c
index fcc1ad30a..7427e08ca 100644
--- a/dix/main.c
+++ b/dix/main.c
@@ -175,6 +175,9 @@ dix_main(int argc, char *argv[], char *envp[])
         clients[0] = serverClient;
         currentMaxClients = 1;
 
+        /* clear any existing selections */
+        InitSelections();
+
         /* Initialize privates before first allocation */
         dixResetPrivates();
 
@@ -192,7 +195,6 @@ dix_main(int argc, char *argv[], char *envp[])
 
         InitAtoms();
         InitEvents();
-        InitSelections();
         InitGlyphCaching();
         dixResetRegistry();
         ResetFontPrivateIndex();