From 1548e8ae5d28ed0eb6057a1a19cfc84a78ef34dc Mon Sep 17 00:00:00 2001
From: Maarten Maathuis <madman2003@gmail.com>
Date: Fri, 7 Aug 2009 20:04:53 +0200
Subject: [PATCH] exa: fix a potential loophole in "mixed"

- Always free sys_ptr before setting the pixmap to pinned.
---
 exa/exa_mixed.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/exa/exa_mixed.c b/exa/exa_mixed.c
index 47fa6d448..0d2552d8b 100644
--- a/exa/exa_mixed.c
+++ b/exa/exa_mixed.c
@@ -145,20 +145,22 @@ exaModifyPixmapHeader_mixed(PixmapPtr pPixmap, int width, int height, int depth,
     pExaPixmap = ExaGetPixmapPriv(pPixmap);
 
     if (pExaPixmap) {
-        if (pPixData) {
-	    if (!exaPixmapIsPinned(pPixmap)) {
-		free(pExaPixmap->sys_ptr);
+	if (!exaPixmapIsPinned(pPixmap)) {
+	    free(pExaPixmap->sys_ptr);
+	    pExaPixmap->sys_ptr = pPixmap->devPrivate.ptr = NULL;
+	    pExaPixmap->sys_pitch = pPixmap->devKind = 0;
 
-		/* We no longer need this. */
-		if (pExaPixmap->pDamage) {
-		    DamageUnregister(&pPixmap->drawable, pExaPixmap->pDamage);
-		    DamageDestroy(pExaPixmap->pDamage);
-		    pExaPixmap->pDamage = NULL;
-		}
+	    /* We no longer need this. */
+	    if (pExaPixmap->pDamage) {
+		DamageUnregister(&pPixmap->drawable, pExaPixmap->pDamage);
+		DamageDestroy(pExaPixmap->pDamage);
+		pExaPixmap->pDamage = NULL;
 	    }
-            pExaPixmap->sys_ptr = pPixData;
 	}
 
+        if (pPixData)
+            pExaPixmap->sys_ptr = pPixData;
+
         if (devKind > 0)
             pExaPixmap->sys_pitch = devKind;