fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-31 09:00:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/glamor
History
Michel Dänzer 8323d2e901 glamor: Call glamor_pixmap_destroy_fbo from glamor_set_pixmap_private 
Calling glamor_purge_fbo directly was incorrect for large pixmaps.

Fixes use-after free with large pixmaps:

==2029== Invalid write of size 8                                                                                                                                      ~
==2029==    at 0x85F93AD: __xorg_list_del (list.h:184)
==2029==    by 0x85F93AD: xorg_list_del (list.h:204)
==2029==    by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280)
==2029==    by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159)
==2029==    by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228)
==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
==2029==    by 0x5098F6: FreePicture (picture.c:1425)
==2029==    by 0x85E678E: glamor_composite_clipped_region (glamor_render.c:1558)
==2029==    by 0x85F763A: glamor_composite_largepixmap_region (glamor_largepixmap.c:1347)
==2029==    by 0x85E7964: _glamor_composite (glamor_render.c:1679)
==2029==    by 0x85E7A38: glamor_composite (glamor_render.c:1758)
==2029==  Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd
==2029==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==2029==    by 0x85D7167: glamor_set_pixmap_private (glamor.c:570)
==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
==2029==    by 0x45B246: doFreeResource (resource.c:875)
==2029==    by 0x45BD5E: FreeResource (resource.c:905)
==2029==    by 0x43444B: ProcFreePixmap (dispatch.c:1422)
==2029==    by 0x43856E: Dispatch (dispatch.c:432)
==2029==    by 0x43C96F: dix_main (main.c:298)
==2029==    by 0x6CFAB44: (below main) (libc-start.c:287)

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
2014-12-25 13:02:49 -08:00
..
glamor.c glamor: Call glamor_pixmap_destroy_fbo from glamor_set_pixmap_private 2014-12-25 13:02:49 -08:00
glamor.h glamor: Add an accessor for the GBM device. 2014-12-11 11:26:19 -08:00
glamor_addtraps.c glamor: Rely on nested mappings to handle src==dst and !prepare bugs. 2014-03-17 14:30:56 -07:00
glamor_compositerects.c glamor: Remove an extra copy of RegionNil(). 2014-01-27 09:30:47 -08:00
glamor_context.h glamor: Replace glamor_get/put_context() with just glamor_make_current(). 2014-04-23 10:32:23 -07:00
glamor_copy.c mi: Drop plane argument from miHandleExposures 2014-10-09 11:14:53 +02:00
glamor_core.c glamor: Remove stubbed-out glamor_stipple function 2014-06-15 23:17:59 +01:00
glamor_dash.c glamor: Add glamor_program based 0-width dashed lines 2014-06-15 22:02:41 +01:00
glamor_debug.h glamor: Apply x-indent.sh. 2014-01-27 09:30:47 -08:00
glamor_egl.c glamor: Add an accessor for the GBM device. 2014-12-11 11:26:19 -08:00
glamor_egl_stubs.c glamor: Always destroy EGL image associated with destroyed pixmap 2014-12-09 08:46:45 -08:00
glamor_eglmodule.c Fix files including xorg-server.h by mistake 2014-07-30 12:17:27 -07:00
glamor_fbo.c glamor: Make glamor_destroy_textured_pixmap idempotent 2014-12-11 19:36:31 -08:00
glamor_font.c glamor: Don't try to set up core fonts textures when we won't use them. 2014-08-12 16:37:11 -07:00
glamor_font.h glamor: Add glamor_program based poly_text and image_text 2014-04-03 13:07:52 -07:00
glamor_glx.c glamor: Do the same MakeCurrent(None) for GLX as we do for EGL. 2014-04-23 10:32:32 -07:00
glamor_glyphblt.c glamor: Use glamor_program for glamor_push_pixels 2014-06-15 22:02:41 +01:00
glamor_glyphs.c glamor: Make glyph mask cache per-screen 2014-09-11 18:31:11 -07:00
glamor_gradient.c glamor: Remove always-true yInverted flag. 2014-07-17 17:35:38 -07:00
glamor_image.c glamor: Don't leak a prepare_access_gc() in putimage fallbacks. 2014-06-12 21:53:59 -07:00
glamor_largepixmap.c glamor: Check large pixmap users in glamor_largepixmap.c 2014-09-18 15:53:36 -07:00
glamor_lines.c glamor: Add glamor_program based 0-width dashed lines 2014-06-15 22:02:41 +01:00
glamor_picture.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
glamor_pixmap.c glamor: Free converted bits in _glamor_upload_bits_to_pixmap_texture fast path 2014-10-26 17:00:17 -07:00
glamor_points.c glamor: Drop the "are we doing a series of blits or draws" logic. 2014-07-17 17:35:48 -07:00
glamor_prepare.c glamor: Use GL_STREAM_READ also for read/write access to a PBO 2014-09-29 13:17:57 -07:00
glamor_prepare.h glamor: Replace fallback preparation code 2014-06-15 22:02:40 +01:00
glamor_priv.h glamor: Always destroy EGL image associated with destroyed pixmap 2014-12-09 08:46:45 -08:00
glamor_program.c glamor: Add accelerated stipple support 2014-06-15 23:17:56 +01:00
glamor_program.h glamor: Add glamor_program based 0-width dashed lines 2014-06-15 22:02:41 +01:00
glamor_rects.c glamor: Replace glamor_get/put_context() with just glamor_make_current(). 2014-04-23 10:32:23 -07:00
glamor_render.c Merge remote-tracking branch 'origin/master' into glamor-next 2014-07-17 18:07:26 -07:00
glamor_segs.c glamor: Add glamor_program based 0-width dashed lines 2014-06-15 22:02:41 +01:00
glamor_spans.c glamor: Drop unnecessary glTexParameteri() in SetSpans(). 2014-07-17 17:34:16 -07:00
glamor_sync.c glamor: sync_fence_set_triggered should use glFlush, not glFinish 2014-07-19 12:25:24 -07:00
glamor_text.c glamor: Drop the "are we doing a series of blits or draws" logic. 2014-07-17 17:35:48 -07:00
glamor_transfer.c glamor: Drop unnecessary glTexParameteri() in upload of texture data. 2014-07-17 17:34:28 -07:00
glamor_transfer.h glamor: Add simple upload/download functions in glamor_transfer 2014-04-03 13:07:51 -07:00
glamor_transform.c glamor: Add accelerated stipple support 2014-06-15 23:17:56 +01:00
glamor_transform.h glamor: Add infrastructure for generating shaders on the fly 2014-03-26 12:58:40 -07:00
glamor_trapezoid.c glamor: Remove shader-based trapezoid implementation. Fixes Bug 76213. 2014-09-18 15:53:39 -07:00
glamor_triangles.c glamor: Rely on nested mappings to handle src==dst and !prepare bugs. 2014-03-17 14:30:56 -07:00
glamor_utils.c glamor: Drop constant arguments to glamor_solid(). 2014-07-17 17:34:29 -07:00
glamor_utils.h glamor: Remove always-true yInverted flag. 2014-07-17 17:35:38 -07:00
glamor_vbo.c glamor: Fix GLES2 non-VBO temporary memory allocation. 2014-06-23 14:51:56 -07:00
glamor_window.c glamor: Apply x-indent.sh. 2014-01-27 09:30:47 -08:00
glamor_xv.c glamor: Free Xv put image data immediately after use 2014-08-17 14:17:30 -07:00
Makefile.am glamor: Add support for SHM sync fences 2014-07-18 12:22:50 -07:00