-
Calling glamor_purge_fbo directly was incorrect for large pixmaps. Fixes use-after free with large pixmaps: ==2029== Invalid write of size 8 ~ ==2029== at 0x85F93AD: __xorg_list_del (list.h:184) ==2029== by 0x85F93AD: xorg_list_del (list.h:204) ==2029== by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280) ==2029== by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159) ==2029== by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228) ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272) ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473) ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370) ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258) ==2029== by 0x5098F6: FreePicture (picture.c:1425) ==2029== by 0x85E678E: glamor_composite_clipped_region (glamor_render.c:1558) ==2029== by 0x85F763A: glamor_composite_largepixmap_region (glamor_largepixmap.c:1347) ==2029== by 0x85E7964: _glamor_composite (glamor_render.c:1679) ==2029== by 0x85E7A38: glamor_composite (glamor_render.c:1758) ==2029== Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd ==2029== at 0x4C29E90: free (vg_replace_malloc.c:473) ==2029== by 0x85D7167: glamor_set_pixmap_private (glamor.c:570) ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272) ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473) ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370) ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258) ==2029== by 0x45B246: doFreeResource (resource.c:875) ==2029== by 0x45BD5E: FreeResource (resource.c:905) ==2029== by 0x43444B: ProcFreePixmap (dispatch.c:1422) ==2029== by 0x43856E: Dispatch (dispatch.c:432) ==2029== by 0x43C96F: dix_main (main.c:298) ==2029== by 0x6CFAB44: (below main) (libc-start.c:287) Signed-off-by:
Michel Dänzer <michel.daenzer@amd.com> Reviewed-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
8323d2e9
