dix/resource: fix use after free in resource code with DRI
LookupClientResourceComplex is used by DRI1 code to find and free a DRI drawable in a callback, however when the DRI code returns this->value is now pointing at freed memory. It seemed easiest to store the value to a temporary and return it afterwards. Another option might be a new FreeClientResourceComplex or one that also returns the id, so we can free it using an alternative means. found using valgrind. amended along ajax's suggestions
This commit is contained in:
Dave Airlie
parent
184deb9bc3
commit
07c36e4fdc
|
|
@ -707,7 +707,8 @@ LookupClientResourceComplex(
|
||||||
pointer cdata
|
pointer cdata
|
||||||
){
|
){
|
||||||
ResourcePtr *resources;
|
ResourcePtr *resources;
|
||||||
ResourcePtr this;
|
ResourcePtr this, next;
|
||||||
|
pointer value;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (!client)
|
if (!client)
|
||||||
|
|
@ -715,10 +716,13 @@ LookupClientResourceComplex(
|
||||||
|
|
||||||
resources = clientTable[client->index].resources;
|
resources = clientTable[client->index].resources;
|
||||||
for (i = 0; i < clientTable[client->index].buckets; i++) {
|
for (i = 0; i < clientTable[client->index].buckets; i++) {
|
||||||
for (this = resources[i]; this; this = this->next) {
|
for (this = resources[i]; this; this = next) {
|
||||||
|
next = this->next;
|
||||||
if (!type || this->type == type) {
|
if (!type || this->type == type) {
|
||||||
if((*func)(this->value, this->id, cdata))
|
/* workaround func freeing the type as DRI1 does */
|
||||||
return this->value;
|
value = this->value;
|
||||||
|
if((*func)(value, this->id, cdata))
|
||||||
|
return value;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue