On Thu, 2011-02-03 at 19:48 +0200, Pauli wrote: > From: Pauli Nieminen <[email protected]> > > If client disconnects and new client gets same id DRI2 events may end to > wrong client. DRI2 reference list can be checked to see if the client > still owns the DRI2Drawable. > > Signed-off-by: Pauli Nieminen <[email protected]> > --- > hw/xfree86/dri2/dri2.c | 25 +++++++++++++++++-------- > 1 files changed, 17 insertions(+), 8 deletions(-) > > diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c > index b50206e..12c1f72 100644 > --- a/hw/xfree86/dri2/dri2.c > +++ b/hw/xfree86/dri2/dri2.c > @@ -255,7 +255,8 @@ DRI2LookupClientDrawableRef(DRI2DrawablePtr pPriv, > ClientPtr client, XID id) > DRI2DrawableRefPtr ref; > > list_for_each_entry(ref, &pPriv->reference_list, link) { > - if (CLIENT_ID(ref->dri2_id) == client->index && ref->id == id) > + if (CLIENT_ID(ref->dri2_id) == client->index &&
If the client has gone then this isn't this a potential use-after-free?
> + (id == 0 || ref->id == id))
> return ref;
> }
> return NULL;
> @@ -739,21 +740,24 @@ void
> DRI2WaitMSCComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
> unsigned int tv_sec, unsigned int tv_usec)
> {
> + DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
> + ClientPtr blockedClient = pPriv->blockedClient;
> +
> + pPriv->blockedClient = NULL;
> + pPriv->blockedOnMsc = FALSE;
> pPriv->refcnt--;
>
> - if (pPriv->refcnt == 0) {
> - DRI2DrawableGone(pPriv, 0);
> + if (ref == NULL) {
> + if (pPriv->refcnt == 0)
> + DRI2DrawableGone(pPriv, 0);
> return;
> }
>
> ProcDRI2WaitMSCReply(client, ((CARD64)tv_sec * 1000000) + tv_usec,
> frame, pPriv->swap_count);
>
> - if (pPriv->blockedClient)
> - AttendClient(pPriv->blockedClient);
> -
> - pPriv->blockedClient = NULL;
> - pPriv->blockedOnMsc = FALSE;
> + if (blockedClient)
> + AttendClient(blockedClient);
> }
>
> static void
> @@ -806,6 +810,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv,
> int frame,
> DRI2SwapEventPtr swap_complete, void *swap_data)
> {
> DRI2SwapCompleteDataPtr pSwapData = swap_data;
> + DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
> DrawablePtr pDraw = pPriv->drawable;
> CARD64 ust = 0;
>
> @@ -813,6 +818,9 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv,
> int frame,
> pPriv->swap_count++;
> pPriv->refcnt--;
>
> + if (ref == NULL)
> + goto out;
> +
> if (pDraw) {
> BoxRec box;
> RegionRec region;
> @@ -836,6 +844,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv,
> int frame,
>
> DRI2WakeClient(client, pPriv, frame, tv_sec, tv_usec);
>
> +out:
> free_swap_complete_data(pPriv, pSwapData);
>
> if (pPriv->refcnt == 0)
signature.asc
Description: This is a digitally signed message part
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
