dix: Fix segfault if CreateGC() failed in XaceHook()

CreateGC() allocates a new GC and then checks the resource access rights with XaceHook(). If the call to XaceHook() fails (i.e. GC creation is not granted to the client), CreateGC() exits early and calls FreeGC() to avoid leaking the newly allocated GC. If that happens, the screen's own CreateGC() has not yet been invoked, and as a result the GC functions (GCfuncs) have not been set yet. FreeGC() will invoke the funcs->DestroyClip() and the funcs->DestroyGC() functions, but since those haven't been set, the Xserver will segfault trying to call a NULL function. To prevent that issue, make sure the GC's functions are initialized prior to call them in FreeGC(). Closes: #1625 Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>

dix: Fix segfault if CreateGC() failed in XaceHook()
e6224664 · kiraskyler · Olivier Fourdan · 9c7c470b · e6224664
Commit e6224664 authored 1 year ago by kiraskyler Committed by Olivier Fourdan 1 year ago
--- a/dix/gc.c
+++ b/dix/gc.c
@@ -770,14 +770,16 @@ FreeGC(void *value, XID gid)
    GCPtr pGC = (GCPtr) value;

    CloseFont(pGC->font, (Font) 0);
-    (*pGC->funcs->DestroyClip) (pGC);
+    if (pGC->funcs)
+        (*pGC->funcs->DestroyClip) (pGC);

    if (!pGC->tileIsPixel)
        (*pGC->pScreen->DestroyPixmap) (pGC->tile.pixmap);
    if (pGC->stipple)
        (*pGC->pScreen->DestroyPixmap) (pGC->stipple);

-    (*pGC->funcs->DestroyGC) (pGC);
+    if (pGC->funcs)
+        (*pGC->funcs->DestroyGC) (pGC);
    if (pGC->dash != DefaultDash)
        free(pGC->dash);
    dixFreeObjectWithPrivates(pGC, PRIVATE_GC);