summaryrefslogtreecommitdiff
path: root/glamor/glamor.c
diff options
context:
space:
mode:
authorMichel Dänzer <michel.daenzer@amd.com>2014-12-11 16:50:37 +0900
committerKeith Packard <keithp@keithp.com>2014-12-11 19:35:59 -0800
commit45b333525e4626523f2b3b7bb360404b6366750d (patch)
treeda3e8ca1a18930b0e91f8524190796b78e668651 /glamor/glamor.c
parent913416b718e73e7416c2128a82d2e5e5cd962d28 (diff)
glamor: Fix use-after-free in glamor_destroy_textured_pixmap
==25551== Invalid read of size 8 ==25551== at 0x85D5F2C: glamor_egl_destroy_pixmap_image (glamor_egl.c:527) ==25551== by 0x85D7750: glamor_destroy_pixmap (glamor.c:235) ==25551== by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278) ==25551== by 0x5098F6: FreePicture (picture.c:1425) ==25551== by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257) ==25551== by 0x85D7B50: glamor_close_screen (glamor.c:586) ==25551== by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734) ==25551== by 0x4CFFC7: CursorCloseScreen (cursor.c:187) ==25551== by 0x513A44: AnimCurCloseScreen (animcur.c:106) ==25551== by 0x51529B: present_close_screen (present_screen.c:64) ==25551== by 0x43CA83: dix_main (main.c:351) ==25551== by 0x6CFAB44: (below main) (libc-start.c:287) ==25551== Address 0x83dafa0 is 96 bytes inside a block of size 152 free'd ==25551== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25551== by 0x85D76B4: glamor_destroy_textured_pixmap (glamor.c:225) ==25551== by 0x85D7750: glamor_destroy_pixmap (glamor.c:235) ==25551== by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278) ==25551== by 0x5098F6: FreePicture (picture.c:1425) ==25551== by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257) ==25551== by 0x85D7B50: glamor_close_screen (glamor.c:586) ==25551== by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734) ==25551== by 0x4CFFC7: CursorCloseScreen (cursor.c:187) ==25551== by 0x513A44: AnimCurCloseScreen (animcur.c:106) ==25551== by 0x51529B: present_close_screen (present_screen.c:64) ==25551== by 0x43CA83: dix_main (main.c:351) Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com>
Diffstat (limited to 'glamor/glamor.c')
-rw-r--r--glamor/glamor.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/glamor/glamor.c b/glamor/glamor.c
index b32cc1668..c4f3f3a34 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -221,11 +221,12 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
{
if (pixmap->refcnt == 1) {
glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap);
- if (pixmap_priv != NULL)
- glamor_pixmap_destroy_fbo(pixmap_priv);
+ if (pixmap_priv != NULL) {
#if GLAMOR_HAS_GBM
- glamor_egl_destroy_pixmap_image(pixmap);
+ glamor_egl_destroy_pixmap_image(pixmap);
#endif
+ glamor_pixmap_destroy_fbo(pixmap_priv);
+ }
}
}