[PATCH 1/4] glamor: Fix use-after-free in glamor_destroy_textured_pixmap

Michel Dänzer michel at daenzer.net
Wed Dec 10 23:50:37 PST 2014 

From: Michel Dänzer <michel.daenzer at amd.com>

==25551== Invalid read of size 8
==25551==    at 0x85D5F2C: glamor_egl_destroy_pixmap_image (glamor_egl.c:527)
==25551==    by 0x85D7750: glamor_destroy_pixmap (glamor.c:235)
==25551==    by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278)
==25551==    by 0x5098F6: FreePicture (picture.c:1425)
==25551==    by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257)
==25551==    by 0x85D7B50: glamor_close_screen (glamor.c:586)
==25551==    by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734)
==25551==    by 0x4CFFC7: CursorCloseScreen (cursor.c:187)
==25551==    by 0x513A44: AnimCurCloseScreen (animcur.c:106)
==25551==    by 0x51529B: present_close_screen (present_screen.c:64)
==25551==    by 0x43CA83: dix_main (main.c:351)
==25551==    by 0x6CFAB44: (below main) (libc-start.c:287)
==25551==  Address 0x83dafa0 is 96 bytes inside a block of size 152 free'd
==25551==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==25551==    by 0x85D76B4: glamor_destroy_textured_pixmap (glamor.c:225)
==25551==    by 0x85D7750: glamor_destroy_pixmap (glamor.c:235)
==25551==    by 0xC1BDD9B: radeon_glamor_destroy_pixmap (radeon_glamor.c:278)
==25551==    by 0x5098F6: FreePicture (picture.c:1425)
==25551==    by 0x85DD7A9: glamor_unrealize_glyph_caches (glamor_glyphs.c:257)
==25551==    by 0x85D7B50: glamor_close_screen (glamor.c:586)
==25551==    by 0x4B1A82: xf86CrtcCloseScreen (xf86Crtc.c:734)
==25551==    by 0x4CFFC7: CursorCloseScreen (cursor.c:187)
==25551==    by 0x513A44: AnimCurCloseScreen (animcur.c:106)
==25551==    by 0x51529B: present_close_screen (present_screen.c:64)
==25551==    by 0x43CA83: dix_main (main.c:351)

Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
---
 glamor/glamor.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/glamor/glamor.c b/glamor/glamor.c
index b32cc16..c4f3f3a 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -221,11 +221,12 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
 {
     if (pixmap->refcnt == 1) {
         glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap);
-        if (pixmap_priv != NULL)
-            glamor_pixmap_destroy_fbo(pixmap_priv);
+        if (pixmap_priv != NULL) {
 #if GLAMOR_HAS_GBM
-        glamor_egl_destroy_pixmap_image(pixmap);
+            glamor_egl_destroy_pixmap_image(pixmap);
 #endif
+            glamor_pixmap_destroy_fbo(pixmap_priv);
+        }
     }
 }
 
-- 
2.1.3

More information about the xorg-devel mailing list