From bcec9f867d19e954a46c2654a79782bff6c65fce Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Sat, 14 Feb 2015 10:36:44 +0000
Subject: shm: Fix use-after-free in ShmDestroyPixmap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We pass the pPixmap->drawable.id to the ShmDetachSegment function after
the pPixmap is freed. Fortunately, we don't use the value inside
ShmDetachSegment and can simply pass zero instead.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Michel Dänzer <michel@daenzer.net>
---
 Xext/shm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Xext')

diff --git a/Xext/shm.c b/Xext/shm.c
index db9d47450..52d997425 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -260,7 +260,7 @@ ShmDestroyPixmap(PixmapPtr pPixmap)
     pScreen->DestroyPixmap = ShmDestroyPixmap;
 
     if (shmdesc)
-	ShmDetachSegment(shmdesc, pPixmap->drawable.id);
+	ShmDetachSegment(shmdesc, 0);
 
     return ret;
 }
@@ -427,7 +427,7 @@ ProcShmAttach(ClientPtr client)
 
  /*ARGSUSED*/ static int
 ShmDetachSegment(void *value, /* must conform to DeleteType */
-                 XID shmseg)
+                 XID unused)
 {
     ShmDescPtr shmdesc = (ShmDescPtr) value;
     ShmDescPtr *prev;
-- 
cgit v1.2.3