From a2d0829531249e24dbca25fc20ed30a2bb2d8ed8 Mon Sep 17 00:00:00 2001
From: Michel Dänzer <michel.daenzer@amd.com>
Date: Thu, 12 Jul 2012 11:16:37 +0000
Subject: glx: Free DRI2 drawable reference to destroyed GLX drawable.

Otherwise the reference can lead to use after free in
__glXDRIinvalidateBuffers().

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50019

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
Index: xorg-server-1.12.3/glx/glxdri2.c
===================================================================
--- xorg-server-1.12.3.orig/glx/glxdri2.c
+++ xorg-server-1.12.3/glx/glxdri2.c
@@ -96,6 +96,7 @@ struct __GLXDRIdrawable {
     int height;
     __DRIbuffer buffers[MAX_DRAWABLE_BUFFERS];
     int count;
+    XID dri2_id;
 };
 
 static void
@@ -104,6 +105,8 @@ __glXDRIdrawableDestroy(__GLXdrawable *
     __GLXDRIdrawable *private = (__GLXDRIdrawable *) drawable;
     const __DRIcoreExtension *core = private->screen->core;
 
+    FreeResource(private->dri2_id, FALSE);
+
     (*core->destroyDrawable) (private->driDrawable);
 
     __glXDrawableRelease(drawable);
@@ -597,8 +600,9 @@ __glXDRIscreenCreateDrawable(ClientPtr c
     private->base.waitGL = __glXDRIdrawableWaitGL;
     private->base.waitX = __glXDRIdrawableWaitX;
 
-    if (DRI2CreateDrawable(client, pDraw, drawId,
-                           __glXDRIinvalidateBuffers, private)) {
+    if (DRI2CreateDrawable2(client, pDraw, drawId,
+                            __glXDRIinvalidateBuffers, private,
+                            &private->dri2_id)) {
         free(private);
         return NULL;
     }