xserver: Branch 'master'
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Fri Feb 2 08:17:04 UTC 2024
dix/gc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
New commits:
commit e62246641b9a8460d043bd3ed7bbc63aedb83652
Author: Wanli Niu <kiraskyler at 163.com>
Date: Thu Feb 1 09:48:53 2024 +0100
dix: Fix segfault if CreateGC() failed in XaceHook()
CreateGC() allocates a new GC and then checks the resource access rights
with XaceHook().
If the call to XaceHook() fails (i.e. GC creation is not granted to the
client), CreateGC() exits early and calls FreeGC() to avoid leaking the
newly allocated GC.
If that happens, the screen's own CreateGC() has not yet been invoked,
and as a result the GC functions (GCfuncs) have not been set yet.
FreeGC() will invoke the funcs->DestroyClip() and the funcs->DestroyGC()
functions, but since those haven't been set, the Xserver will segfault
trying to call a NULL function.
To prevent that issue, make sure the GC's functions are initialized
prior to call them in FreeGC().
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1625
Reviewed-by: Olivier Fourdan <ofourdan at redhat.com>
diff --git a/dix/gc.c b/dix/gc.c
index 4ccbd3b54..0e75e8765 100644
--- a/dix/gc.c
+++ b/dix/gc.c
@@ -770,14 +770,16 @@ FreeGC(void *value, XID gid)
GCPtr pGC = (GCPtr) value;
CloseFont(pGC->font, (Font) 0);
- (*pGC->funcs->DestroyClip) (pGC);
+ if (pGC->funcs)
+ (*pGC->funcs->DestroyClip) (pGC);
if (!pGC->tileIsPixel)
(*pGC->pScreen->DestroyPixmap) (pGC->tile.pixmap);
if (pGC->stipple)
(*pGC->pScreen->DestroyPixmap) (pGC->stipple);
- (*pGC->funcs->DestroyGC) (pGC);
+ if (pGC->funcs)
+ (*pGC->funcs->DestroyGC) (pGC);
if (pGC->dash != DefaultDash)
free(pGC->dash);
dixFreeObjectWithPrivates(pGC, PRIVATE_GC);
More information about the xorg-commit
mailing list