Created attachment 43461 [details] [review]
dri2 patch for preveting Xorg from crash 

do_get_buffers() create array of pointer called "buffers" using malloc.

This array will be filled with pointer for buffer by allocate_or_reuse_buffer()- eventually, it uses EXA if enabled. 

Unlikely, allocate_or_reuse_buffer() fails to allocate memory at buffers[i] where i is less than "count". 

Because of failure, the rest of buffers (from buffers[i] to buffers[count-1]) remains with some garbage pointer when it was allocated at malloc.

Then it jumps to  "err_out" to free those allocated buffers[i], but it tries to clean up buffers until buffers[count-1] - we know that this is not properly allocated.

At the end, Xserver crashes due to dereferencing garbage pointer.....

This crash cab be prevented by using calloc instead of malloc.

Here is my patch to fix this problem.



--- xserver-panda-org/hw/xfree86/dri2/dri2.c    2011-02-09 14:25:26.000000000 -0800
+++ xserver-panda/hw/xfree86/dri2/dri2.c 2011-02-15 16:36:37.794484553 -0800
@@ -402,8 +402,16 @@
     dimensions_match = (pDraw->width == pPriv->width)
       && (pDraw->height == pPriv->height)
       && (pPriv->serialNumber == DRI2DrawableSerial(pDraw));
-
-    buffers = malloc((count + 1) * sizeof(buffers[0]));
+       
+      /* can't use malloc here because
+       * 1. if allocate_or_reuse_buffer() failes to allocate buffer, buffers[i] is set to null 
+       * 2. actually allocated number of buffer is *less* than "count"
+       * 3. (*ds->DestroyBuffer)(pDraw, buffers[i]) at "err_out" frees up those memory  
+       * 4. DestroyBuffer() dereferences some *garbage* pointer(if malloc was used) at buffers[i], 
+       * where i is greater than allocated number of buffer at step 2.   
+       * 5. Xserver crashes due to dereferencing garbage poiner.....
+       */
+    buffers = calloc((count + 1), sizeof(buffers[0]));
 
     for (i = 0; i < count; i++) {
       const unsigned attachment = *(attachments++);