Fixing Debian bug report address. On 24.12.2014 11:46, Michel Dänzer wrote: > From: Michel Dänzer <[email protected]> > > Calling glamor_purge_fbo directly was incorrect for large pixmaps. > > Fixes use-after free with large pixmaps: > > ==2029== Invalid write of size 8 > > ~ > ==2029== at 0x85F93AD: __xorg_list_del (list.h:184) > ==2029== by 0x85F93AD: xorg_list_del (list.h:204) > ==2029== by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280) > ==2029== by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159) > ==2029== by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228) > ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272) > ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473) > ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370) > ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258) > ==2029== by 0x5098F6: FreePicture (picture.c:1425) > ==2029== by 0x85E678E: glamor_composite_clipped_region > (glamor_render.c:1558) > ==2029== by 0x85F763A: glamor_composite_largepixmap_region > (glamor_largepixmap.c:1347) > ==2029== by 0x85E7964: _glamor_composite (glamor_render.c:1679) > ==2029== by 0x85E7A38: glamor_composite (glamor_render.c:1758) > ==2029== Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd > ==2029== at 0x4C29E90: free (vg_replace_malloc.c:473) > ==2029== by 0x85D7167: glamor_set_pixmap_private (glamor.c:570) > ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272) > ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473) > ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370) > ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258) > ==2029== by 0x45B246: doFreeResource (resource.c:875) > ==2029== by 0x45BD5E: FreeResource (resource.c:905) > ==2029== by 0x43444B: ProcFreePixmap (dispatch.c:1422) > ==2029== by 0x43856E: Dispatch (dispatch.c:432) > ==2029== by 0x43C96F: dix_main (main.c:298) > ==2029== by 0x6CFAB44: (below main) (libc-start.c:287) > > Signed-off-by: Michel Dänzer <[email protected]> > --- > > This fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773709 for me, > but it might depend on some previous patches for backporting to the 1.16 > branch. Or maybe the first hunk can just be dropped for that. > > glamor/glamor.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/glamor/glamor.c b/glamor/glamor.c > index e6e8647..78e8278 100644 > --- a/glamor/glamor.c > +++ b/glamor/glamor.c > @@ -225,7 +225,6 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap) > #if GLAMOR_HAS_GBM > glamor_egl_destroy_pixmap_image(pixmap); > #endif > - glamor_pixmap_destroy_fbo(pixmap_priv); > glamor_set_pixmap_private(pixmap, NULL); > } > } > @@ -554,7 +553,6 @@ _X_EXPORT void > glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv) > { > glamor_pixmap_private *old_priv; > - glamor_pixmap_fbo *fbo; > > old_priv = dixGetPrivate(&pixmap->devPrivates, > &glamor_pixmap_private_key); > > @@ -565,10 +563,7 @@ glamor_set_pixmap_private(PixmapPtr pixmap, > glamor_pixmap_private *priv) > if (old_priv == NULL) > return; > > - if (old_priv->base.fbo) { > - fbo = glamor_pixmap_detach_fbo(old_priv); > - glamor_purge_fbo(fbo); > - } > + glamor_pixmap_destroy_fbo(old_priv); > free(old_priv); > } > >
-- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
