[Dri-devel] Double-free in _driUtilUpdateDrawableInfo()

Wed, 12 Feb 2003 10:10:49 -0800 

I think there is a problem with this patch: 
(http://marc.theaimsgroup.com/?l=xfree-cvs&m=104493451323441&w=2)

   868. Revert the DestroyContext, GarbageCollectDrawables reording in
        dri_util.c, and instead check if the drawable is known to the DRI
        client code before calling XF86DRIGetDrawableInfo (Egbert Eich).

The patch moves the call to __driGarbageCollectDrawables() in
driDestroyContext() (dri_util.c) back before the call to the driver's
DestroyContext() callback.  However, when the radeon driver calls
__driUtilUpdateDrawableInfo() in it's DestroyContext() (when locking the
DRM), a double-free can happen on pdp->pClipRects.  The problem is that
the memory pointed to by pClipRects has already been freed by
driDestroyDrawable() (via __driGarbageCollectDrawables()), but 'pdp' in
the context of __driUtilUpdateDrawableInfo() is the radeon driver's
mirrored copy of the drawable private struct, which still has a pointer to
the freed pClipRects.  In fact, the drawable private struct itself
(pointed to by pdp) has also been freed, but again the mirrored pointer
still exists in the radeon driver, so this pointer really shouldn't even
be dereferenced.

The easiest/quickest fix would be to move __driGarbageCollectDrawables()  
back to after the driver's DestroyContext() callback as in the original
patch in DRI cvs.  I think an argument could also be made that the
(radeon) driver should NULL out it's mirrored drawable pointer in it's
DestroyBuffer() callback, which is called by driDestroyDrawable() just
before it destroys/frees the drawable.  That would also require adding a
check for a NULL drawable to the driver's locking function (probably just 
returning after the DRM lock ioctl).  I'm not sure if there would be any 
other side effects to that change.  Comments?

It also looks to me like there could be a memory leak on pBackClipRects in
driDestroyDrawable().  It looks like pBackClipRects should be freed there
(if non-NULL) along with pClipRects. Is this freed somewhere that 
I'm missing?

-- 
Leif Delgass 
http://www.retinalburn.net






-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Dri-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to