--- xserver-panda-org/hw/xfree86/dri2/dri2.c	2011-02-09 14:25:26.000000000 -0800
+++ xserver-panda/hw/xfree86/dri2/dri2.c	2011-02-15 16:36:37.794484553 -0800
@@ -402,8 +402,16 @@
     dimensions_match = (pDraw->width == pPriv->width)
 	&& (pDraw->height == pPriv->height)
 	&& (pPriv->serialNumber == DRI2DrawableSerial(pDraw));
-
-    buffers = malloc((count + 1) * sizeof(buffers[0]));
+	 		
+	/* can't use malloc here because
+	 * 1. if allocate_or_reuse_buffer() failes to allocate buffer, buffers[i] is set to null 
+	 * 2. actually allocated number of buffer is *less* than "count"
+	 * 3. (*ds->DestroyBuffer)(pDraw, buffers[i]) at "err_out" frees up those memory  
+	 * 4. DestroyBuffer() dereferences some *garbage* pointer(if malloc was used) at buffers[i], 
+	 * where i is greater than allocated number of buffer at step 2.   
+	 * 5. Xserver crashes due to dereferencing garbage poiner.....
+	 */
+    buffers = calloc((count + 1), sizeof(buffers[0]));
 
     for (i = 0; i < count; i++) {
 	const unsigned attachment = *(attachments++);