xmir_resize() releases a pixmap it does not own, leading to freed memory reads

Reported by Daniel van Vugt on 2013-09-06
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
XMir
Critical
Chris Halse Rogers

Bug Description

==32480== Invalid read of size 4
==32480== at 0xA22E394: sna_dri_create_buffer (sna_dri.c:252)
==32480== by 0x27BF7A: allocate_or_reuse_buffer.isra.6 (dri2.c:448)
==32480== by 0x27CCE6: do_get_buffers (dri2.c:573)
==32480== by 0x27D11F: DRI2GetBuffersWithFormat (dri2.c:690)
==32480== by 0x27EAFF: ProcDRI2Dispatch (dri2ext.c:306)
==32480== by 0x15CFCD: Dispatch (dispatch.c:432)
==32480== by 0x14C529: main (main.c:298)
==32480== Address 0xb98d18c is 12 bytes inside a block of size 120 free'd
==32480== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0xA19FC6D: sna_destroy_pixmap.part.69 (sna_accel.c:1393)
==32480== by 0xA19FCBE: sna_destroy_pixmap (sna_accel.c:1347)
==32480== by 0x234DC0: damageDestroyPixmap (damage.c:1559)
==32480== by 0x1F7B68: XvDestroyPixmap (xvmain.c:372)
==32480== by 0x1F66BE: ShmDestroyPixmap (shm.c:273)
==32480== by 0x86987D5: xmir_resize (xmir-output.c:453)
==32480== by 0x1DA7D6: xf86RandR12ScreenSetSize (xf86RandR12.c:699)
==32480== by 0x22231A: ProcRRSetScreenSize (rrscreen.c:286)
==32480== by 0x15CFCD: Dispatch (dispatch.c:432)
==32480== by 0x14C529: main (main.c:298)

summary: - xmir_resize() releases a reference it did not own
+ xmir_resize() releases a pixmap it does not own, leading to freed memory
+ reads
Changed in xmir:
importance: Undecided → Critical
description: updated
tags: added: make-xmir-default
Changed in xmir:
assignee: nobody → Chris Halse Rogers (raof)
Changed in xmir:
assignee: Chris Halse Rogers (raof) → Daniel van Vugt (vanvugt)
status: New → In Progress
Daniel van Vugt (vanvugt) wrote :

Hmm, pixmap ownership semantics in the Xorg source seem quite subtle and fragile. Also not obviously documented. I'll have to defer to someone who might know how it's /meant/ to work.

Changed in xmir:
status: In Progress → Triaged
assignee: Daniel van Vugt (vanvugt) → nobody
assignee: nobody → Chris Halse Rogers (raof)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers