<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - read-after-free in st_framebuffer_validate"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101829#c6">Comment # 6</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - read-after-free in st_framebuffer_validate"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101829">bug 101829</a>
              from <span class="vcard"><a class="email" href="mailto:gw.fossdev@gmail.com" title="Gert Wollny <gw.fossdev@gmail.com>"> <span class="fn">Gert Wollny</span></a>
</span></b>
        <pre>The patch didn't help on my side. 

I've added some debug output to see what is going on. In summary, stfb->iface
in st_manager.c  is not properly updated and points  to a destroyed buffer,
that is accessed in st_framebuffers_purge, see below:

valgrind  glretrace Downloads/example.trace 
==3152== Memcheck, a memory error detector
==3152== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3152== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==3152== Command: glretrace Downloads/example.trace
==3152== 
dri_get_drawable: 0x161220b0 refcount: 1
dri_create_buffer 0x161220b0: 0x16122130
driCreateNewDrawable: 0x161220b0 refcount: 1 buffer: 0x16122130
driFetchDrawable (create): 0x16121fa0 refcount: 1
driFetchDrawable: 0x16121fa0 refcount: 2
dri_get_drawable: 0x161220b0 refcount: 2
Bind context 0x16036270 pdp 0x161220b0 prp 0x161220b0 
stdraw= 0x16122520
stread= 0x16122520
st= 0x160ecc10
stfb->iface= 0x16122130
dri_put_drawable: 0x161220b0 refcount: 1
Unbind context 0x16036270 pdp 0x161220b0 prp 0x161220b0 
dri_get_drawable: 0x162791f0 refcount: 1

dri_create_buffer 0x162791f0: 0x16279270 <==== create new buffer (2) 

driCreateNewDrawable: 0x162791f0 refcount: 1 buffer: 0x16279270
driFetchDrawable (create): 0x162790e0 refcount: 1
driFetchDrawable: 0x162790e0 refcount: 2
dri_get_drawable: 0x162791f0 refcount: 2
Bind context 0x16196340 pdp 0x162791f0 prp 0x162791f0 
stdraw= 0x16279550
stread= 0x16279550
st= 0x16246250

in st_framebuffers_purge; 
stfb->iface= 0x16279270     <============================= first use 


dri_put_drawable: 0x162791f0 refcount: 1
Unbind context 0x16196340 pdp 0x162791f0 prp 0x162791f0 
dri_get_drawable: 0x1628b1c0 refcount: 1

dri_create_buffer 0x1628b1c0: 0x1628b240   <==== create new buffer (3)

driCreateNewDrawable: 0x1628b1c0 refcount: 1 buffer: 0x1628b240
driFetchDrawable: 0x1628b0b0 refcount: 1
driFetchDrawable: 0x1628b0b0 refcount: 2
driReleaseDrawables; Drawable: 0x162790e0 refcount: 2
driReleaseDrawables; Readable: 0x162790e0 refcount: 1
dri2DestroyDrawable 0x162791f0
driDestroyDrawable: 0x162791f0 refcount: 1
dri_put_drawable: 0x162791f0 refcount: 0
   --- Destroy

dri_destroy_buffer 0x162791f0: 0x16279270      <====== buffer (2) destroyed 


dri_get_drawable: 0x1628b1c0 refcount: 2
Bind context 0x16196340 pdp 0x1628b1c0 prp 0x1628b1c0 
stdraw= 0x1628d770
stread= 0x1628d770
st= 0x16246250

stfb->iface= 0x16279270     <====== still pointing to the destroyed buffer 
                                    should have been updated to (3) 0x1628b240

==3152== Invalid read of size 4
==3152==    at 0x9CC5D04: st_framebuffers_purge (st_manager.c:510)
==3152==    by 0x9CC5D04: st_api_make_current (st_manager.c:876)
==3152==    by 0x9E709CD: dri_make_current (dri_context.c:278)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>