From e62246641b9a8460d043bd3ed7bbc63aedb83652 Mon Sep 17 00:00:00 2001 From: Wanli Niu Date: Thu, 1 Feb 2024 09:48:53 +0100 Subject: [PATCH] dix: Fix segfault if CreateGC() failed in XaceHook() CreateGC() allocates a new GC and then checks the resource access rights with XaceHook(). If the call to XaceHook() fails (i.e. GC creation is not granted to the client), CreateGC() exits early and calls FreeGC() to avoid leaking the newly allocated GC. If that happens, the screen's own CreateGC() has not yet been invoked, and as a result the GC functions (GCfuncs) have not been set yet. FreeGC() will invoke the funcs->DestroyClip() and the funcs->DestroyGC() functions, but since those haven't been set, the Xserver will segfault trying to call a NULL function. To prevent that issue, make sure the GC's functions are initialized prior to call them in FreeGC(). Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1625 Reviewed-by: Olivier Fourdan --- dix/gc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dix/gc.c b/dix/gc.c index 4ccbd3b54..0e75e8765 100644 --- a/dix/gc.c +++ b/dix/gc.c @@ -770,14 +770,16 @@ FreeGC(void *value, XID gid) GCPtr pGC = (GCPtr) value; CloseFont(pGC->font, (Font) 0); - (*pGC->funcs->DestroyClip) (pGC); + if (pGC->funcs) + (*pGC->funcs->DestroyClip) (pGC); if (!pGC->tileIsPixel) (*pGC->pScreen->DestroyPixmap) (pGC->tile.pixmap); if (pGC->stipple) (*pGC->pScreen->DestroyPixmap) (pGC->stipple); - (*pGC->funcs->DestroyGC) (pGC); + if (pGC->funcs) + (*pGC->funcs->DestroyGC) (pGC); if (pGC->dash != DefaultDash) free(pGC->dash); dixFreeObjectWithPrivates(pGC, PRIVATE_GC);