dix: Fix segfault if CreateGC() failed in XaceHook() (!1263) · Merge requests · xorg / xserver

Olivier Fourdan requested to merge ofourdan/xserver:fix-xace-creategc-null-ptr into master Feb 01, 2024

CreateGC() allocates a new GC and then checks the resource access rights with XaceHook().

If the call to XaceHook() fails (i.e. GC creation is not granted to the client), CreateGC() exits early and calls FreeGC() to avoid leaking the newly allocated GC.

If that happens, the screen's own CreateGC() has not yet been invoked, and as a result the GC functions (GCfuncs) have not been set yet.

FreeGC() will invoke the funcs->DestroyClip() and the funcs->DestroyGC() functions, but since those haven't been set, the Xserver will segfault trying to call a NULL function.

To prevent that issue, make sure the GC's functions are initialized prior to call them in FreeGC().

Closes: #1625 (closed)
Reviewed-by: Olivier Fourdan ofourdan@redhat.com

Edited Feb 01, 2024 by Olivier Fourdan

dix: Fix segfault if CreateGC() failed in XaceHook()

Merge request reports