From 45b333525e4626523f2b3b7bb360404b6366750d Mon Sep 17 00:00:00 2001 From: Michel Dänzer Date: Thu, 11 Dec 2014 16:50:37 +0900 Subject: glamor: Fix use-after-free in glamor_destroy_textured_pixmap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ==25551== Invalid read of size 8 ==25551== at 0x85D5F2C: glamor_egl_destroy_pixmap_image (glamor_egl.c:527) ==25551== by 0x85D7750: glamor_destroy_pixmap (glamor.c:235) ==25551== by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278) ==25551== by 0x5098F6: FreePicture (picture.c:1425) ==25551== by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257) ==25551== by 0x85D7B50: glamor_close_screen (glamor.c:586) ==25551== by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734) ==25551== by 0x4CFFC7: CursorCloseScreen (cursor.c:187) ==25551== by 0x513A44: AnimCurCloseScreen (animcur.c:106) ==25551== by 0x51529B: present_close_screen (present_screen.c:64) ==25551== by 0x43CA83: dix_main (main.c:351) ==25551== by 0x6CFAB44: (below main) (libc-start.c:287) ==25551== Address 0x83dafa0 is 96 bytes inside a block of size 152 free'd ==25551== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25551== by 0x85D76B4: glamor_destroy_textured_pixmap (glamor.c:225) ==25551== by 0x85D7750: glamor_destroy_pixmap (glamor.c:235) ==25551== by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278) ==25551== by 0x5098F6: FreePicture (picture.c:1425) ==25551== by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257) ==25551== by 0x85D7B50: glamor_close_screen (glamor.c:586) ==25551== by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734) ==25551== by 0x4CFFC7: CursorCloseScreen (cursor.c:187) ==25551== by 0x513A44: AnimCurCloseScreen (animcur.c:106) ==25551== by 0x51529B: present_close_screen (present_screen.c:64) ==25551== by 0x43CA83: dix_main (main.c:351) Signed-off-by: Michel Dänzer Reviewed-by: Keith Packard Signed-off-by: Keith Packard --- glamor/glamor.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'glamor') diff --git a/glamor/glamor.c b/glamor/glamor.c index b32cc1668..c4f3f3a34 100644 --- a/glamor/glamor.c +++ b/glamor/glamor.c @@ -221,11 +221,12 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap) { if (pixmap->refcnt == 1) { glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap); - if (pixmap_priv != NULL) - glamor_pixmap_destroy_fbo(pixmap_priv); + if (pixmap_priv != NULL) { #if GLAMOR_HAS_GBM - glamor_egl_destroy_pixmap_image(pixmap); + glamor_egl_destroy_pixmap_image(pixmap); #endif + glamor_pixmap_destroy_fbo(pixmap_priv); + } } } -- cgit v1.2.3