From 7be0e602ed82d25b9f0db77748618c663d9cbfe7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Nicolai=20H=C3=A4hnle?= Date: Fri, 27 Jan 2017 11:55:14 +0100 Subject: [PATCH] dri/common: clear the loaderPrivate pointer in driDestroyDrawable MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The GLX specification says about glXDestroyPixmap: "The storage for the GLX pixmap will be freed when it is not current to any client." We're not really following this language to the letter: some of the storage is freed immediately (in particular, the dri3_drawable, which contains both GLXDRIdrawable and loader_dri3_drawable). So we NULL out the pointers to that freed storage; the previous patches added the corresponding NULL-pointer checks. This fixes memory corruption in piglit ./bin/glx-visuals-depth/stencil -pixmap -auto Cc: 17.0 Reviewed-by: Marek Olšák Reviewed-by: Emil Velikov --- src/mesa/drivers/dri/common/dri_util.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/mesa/drivers/dri/common/dri_util.c b/src/mesa/drivers/dri/common/dri_util.c index f92eee9..d18c458 100644 --- a/src/mesa/drivers/dri/common/dri_util.c +++ b/src/mesa/drivers/dri/common/dri_util.c @@ -645,6 +645,8 @@ driCreateNewDrawable(__DRIscreen *screen, { __DRIdrawable *pdraw; + assert(data != NULL); + pdraw = malloc(sizeof *pdraw); if (!pdraw) return NULL; @@ -674,6 +676,16 @@ driCreateNewDrawable(__DRIscreen *screen, static void driDestroyDrawable(__DRIdrawable *pdp) { + /* + * The loader's data structures are going away, even if pdp itself stays + * around for the time being because it is currently bound. This happens + * when a currently bound GLX pixmap is destroyed. + * + * Clear out the pointer back into the loader's data structures to avoid + * accessing an outdated pointer. + */ + pdp->loaderPrivate = NULL; + dri_put_drawable(pdp); } -- 2.7.4