Commit a6566f9e authored by Michel Dänzer's avatar Michel Dänzer Committed by Adam Jackson

prime: Clear PixmapDirtyUpdateRec::damage when it's destroyed

The root window, and by extension any damage records referencing it,
may be destroyed before shared pixmaps referencing it, which resulted in
use-after-free / double-free in PixmapStopDirtyTracking.

Fixes: b5b29289 ("prime: Sync shared pixmap from root window instead of screen pixmap")
Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
Signed-off-by: Michel Dänzer's avatarMichel Dänzer <michel.daenzer@amd.com>
parent 371ff0c9
......@@ -172,6 +172,14 @@ PixmapPtr PixmapShareToSlave(PixmapPtr pixmap, ScreenPtr slave)
return spix;
}
static void
PixmapDirtyDamageDestroy(DamagePtr damage, void *closure)
{
PixmapDirtyUpdatePtr dirty = closure;
dirty->damage = NULL;
}
Bool
PixmapStartDirtyTracking(PixmapPtr src,
PixmapPtr slave_dst,
......@@ -195,10 +203,10 @@ PixmapStartDirtyTracking(PixmapPtr src,
dirty_update->dst_x = dst_x;
dirty_update->dst_y = dst_y;
dirty_update->rotation = rotation;
dirty_update->damage = DamageCreate(NULL, NULL,
dirty_update->damage = DamageCreate(NULL, PixmapDirtyDamageDestroy,
DamageReportNone,
TRUE, src->drawable.pScreen,
src->drawable.pScreen);
dirty_update);
if (rotation != RR_Rotate_0) {
RRTransformCompute(x, y,
......@@ -247,7 +255,8 @@ PixmapStopDirtyTracking(PixmapPtr src, PixmapPtr slave_dst)
xorg_list_for_each_entry_safe(ent, safe, &screen->pixmap_dirty_list, ent) {
if (ent->src == src && ent->slave_dst == slave_dst) {
DamageDestroy(ent->damage);
if (ent->damage)
DamageDestroy(ent->damage);
xorg_list_del(&ent->ent);
free(ent);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment