From 4151a13c80f3afa43f88afcf19a7aeb16dace93a Mon Sep 17 00:00:00 2001
From: Francisco Jerez <currojerez@riseup.net>
Date: Mon, 5 Oct 2009 02:39:03 +0200
Subject: [PATCH] dix: Fix a double free in dixFreePrivates.

It can be reproduced when the server is regenerated and for some
reason the private keys are reassigned in a different order: a
manually allocated private may get an index formerly used by a
preallocated private. In that case it will first be manually freed and
then again by dixFreePrivates, as items[i].size was never zeroed
out. Do it in dixResetPrivates.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
 dix/privates.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dix/privates.c b/dix/privates.c
index 3a2deb85c..e3e727462 100644
--- a/dix/privates.c
+++ b/dix/privates.c
@@ -303,6 +303,7 @@ dixResetPrivates(void)
     /* reset private descriptors */
     for (i = 1; i < nextPriv; i++) {
 	*items[i].key = 0;
+	items[i].size = 0;
 	DeleteCallbackList(&items[i].initfuncs);
 	DeleteCallbackList(&items[i].deletefuncs);
     }