Fix use-after-free in _XReply on X errors.

_XReply would always call dequeue_pending_request on errors. When it got an error for the current request, it would call dequeue, then break out of the loop; then, if it had an error in the event queue, it would compare it with the sequence number of the now-freed pending request. _XReply already stored that sequence number in dpy->last_request_read before freeing it, so look at that instead. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412 Signed-off-by: Jamey Sharp <jamey@minilop.net> Signed-off-by: Josh Triplett <josh@joshtriplett.org>
author: Jamey Sharp <jamey@minilop.net> 2010-08-06 15:51:56 -0700
committer: Jamey Sharp <jamey@minilop.net> 2010-08-06 15:51:56 -0700
commit: 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18 (patch)
tree: 33ae0952ba47fd538dec542d109fcd23adb520ea /src
parent: 9fa146b30046396b70d64986e50d6617b3a8ac48 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/xcb_io.c b/src/xcb_io.c
index 542051e8..7e685de4 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -580,7 +580,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard)
 		xcb_generic_event_t *event = dpy->xcb->next_event;
 		unsigned long event_sequence = dpy->last_request_read;
 		widen(&event_sequence, event->full_sequence);
-		if(event_sequence == current->sequence)
+		if(event_sequence == dpy->last_request_read)
 		{
 			error = (xcb_generic_error_t *) event;
 			dpy->xcb->next_event = NULL;
author	Jamey Sharp <jamey@minilop.net>	2010-08-06 15:51:56 -0700
committer	Jamey Sharp <jamey@minilop.net>	2010-08-06 15:51:56 -0700
commit	4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18 (patch)
tree	33ae0952ba47fd538dec542d109fcd23adb520ea /src
parent	9fa146b30046396b70d64986e50d6617b3a8ac48 (diff)