diff options
author | Kristian Høgsberg <krh@bitplanet.net> | 2010-09-23 09:04:11 -0400 |
---|---|---|
committer | Keith Packard <keithp@keithp.com> | 2010-09-28 08:01:28 -0700 |
commit | 2f0abd7d690c3bcce2a80c093a0880f43e56d8cb (patch) | |
tree | da2d84c93193da57cc7be2ec29b7f932e4cc044f | |
parent | e416965bfd08dfae5d2b7932b5118efac20546ad (diff) |
glx: Fix use after free in DrawableGone
(note that nearly identical patches were proposed by Kristian and Chris)
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reported-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Keith Packard <keithp@keithp.com>
-rw-r--r-- | glx/glxext.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/glx/glxext.c b/glx/glxext.c index e203156e4..f5ebe4f7e 100644 --- a/glx/glxext.c +++ b/glx/glxext.c @@ -124,7 +124,7 @@ static int glxBlockClients; */ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) { - __GLXcontext *c; + __GLXcontext *c, *next; /* If this drawable was created using glx 1.3 drawable * constructors, we added it as a glx drawable resource under both @@ -137,7 +137,8 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE); } - for (c = glxAllContexts; c; c = c->next) { + for (c = glxAllContexts; c; c = next) { + next = c->next; if (c->isCurrent && (c->drawPriv == glxPriv || c->readPriv == glxPriv)) { int i; @@ -160,15 +161,13 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) } } } - - if (!c->idExists) { - __glXFreeContext(c); - } } if (c->drawPriv == glxPriv) c->drawPriv = NULL; if (c->readPriv == glxPriv) c->readPriv = NULL; + if (!c->idExists && !c->isCurrent) + __glXFreeContext(c); } glxPriv->destroy(glxPriv); |