Compare revisions

Alan Coopersmith · Alan Coopersmith · Alan Coopersmith · Peter Hutterer · Alan Coopersmith · bdca6c3d
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
    GrabParameters param;
    void *tmp;
    int mask_len;
+    uint32_t length;

    REQUEST(xXIPassiveGrabDeviceReq);
    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
        }
    }

+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
    WriteReplyToClient(client, sizeof(rep), &rep);
    if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);

 out:
    free(modifiers_failed);

--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
    InputClientsPtr others = NULL;
    xXIEventMask *evmask = NULL;
    DeviceIntPtr dev;
+    uint32_t length;

    REQUEST(xXIGetSelectedEventsReq);
    REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
        }
    }

+    /* save the value before SRepXIGetSelectedEvents swaps it */
+    length = reply.length;
    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);

    if (reply.num_masks)
-        WriteToClient(client, reply.length * 4, buffer);
+        WriteToClient(client, length * 4, buffer);

    free(buffer);
    return Success;

--- a/hw/xquartz/xpr/appledri.c
+++ b/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
    xAppleDRICreatePixmapReply rep;
    int width, height, pitch, bpp;
    void *ptr;
+    CARD32 stringLength;

    REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);

@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
    if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
        ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));

+    stringLength = rep.stringLength;  /* save unswapped value */
    if (client->swapped) {
        swaps(&rep.sequenceNumber);
        swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
    }

    WriteToClient(client, sizeof(rep), &rep);
-    WriteToClient(client, rep.stringLength, path);
+    WriteToClient(client, stringLength, path);

    return Success;
 }

--- a/render/glyph.c
+++ b/render/glyph.c
@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
    }
 }

-static void
+void
 FreeGlyph(GlyphPtr glyph, int format)
 {
    CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
+    BUG_RETURN(glyph->refcnt == 0);
    if (--glyph->refcnt == 0) {
        GlyphRefPtr gr;
        int i;
@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
    glyph = (GlyphPtr) malloc(size);
    if (!glyph)
        return 0;
-    glyph->refcnt = 0;
+    glyph->refcnt = 1;
    glyph->size = size + sizeof(xGlyphInfo);
    glyph->info = *gi;
    dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);

--- a/render/glyphstr_priv.h
+++ b/render/glyphstr_priv.h
@@ -56,6 +56,7 @@ void AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id);
 Bool DeleteGlyph(GlyphSetPtr glyphSet, Glyph id);
 GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
 GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
+void FreeGlyph(GlyphPtr glyph, int format);
 Bool ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
 GlyphSetPtr AllocateGlyphSet(int fdepth, PictFormatPtr format);
 int FreeGlyphSet(void *value, XID gid);

--- a/render/render.c
+++ b/render/render.c
@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)

        if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
            glyph_new->found = TRUE;
+            ++glyph_new->glyph->refcnt;
        }
        else {
            GlyphPtr glyph;
@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
        err = BadAlloc;
        goto bail;
    }
-    for (i = 0; i < nglyphs; i++)
+    for (i = 0; i < nglyphs; i++) {
        AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
+        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
+    }

    if (glyphsBase != glyphsLocal)
        free(glyphsBase);
@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
        FreePicture((void *) pSrc, 0);
    if (pSrcPix)
        FreeScratchPixmapHeader(pSrcPix);
-    for (i = 0; i < nglyphs; i++)
-        if (glyphs[i].glyph && !glyphs[i].found)
-            free(glyphs[i].glyph);
+    for (i = 0; i < nglyphs; i++) {
+        if (glyphs[i].glyph) {
+            --glyphs[i].glyph->refcnt;
+            if (!glyphs[i].found)
+                free(glyphs[i].glyph);
+        }
+    }
    if (glyphsBase != glyphsLocal)
        free(glyphsBase);
    return err;
No results found