Fix from X.Org for a possible, non-exploitable crash in the DBE extension.

Reported to iDefense by regenrecht. Patch from Dave Airlie.

1 files changed, 28 insertions, 26 deletions

diff --git a/xserver/dbe/dbe.c b/xserver/dbe/dbe.c
index d63620d4f..b90100aff 100644
--- a/xserver/dbe/dbe.c
+++ b/xserver/dbe/dbe.c
@@ -374,7 +374,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     xDbeSwapAction		swapAction;
     VisualID			visual;
     int				status;
-
+    int				add_index;
 
     REQUEST_SIZE_MATCH(xDbeAllocateBackBufferNameReq);
 
@@ -445,14 +445,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             return(BadAlloc);
         }
 
-        /* Make the window priv a DBE window priv resource. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-            (pointer)pDbeWindowPriv))
-        {
-            xfree(pDbeWindowPriv);
-            return(BadAlloc);
-        }
-
         /* Fill out window priv information. */
         pDbeWindowPriv->pWindow      = pWin;
         pDbeWindowPriv->width        = pWin->drawable.width;
@@ -466,13 +458,13 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
 
         /* Initialize the buffer ID list. */ 
         pDbeWindowPriv->maxAvailableIDs = DBE_INIT_MAX_IDS;
-        pDbeWindowPriv->IDs[0] = stuff->buffer;
-        for (i = 1; i < DBE_INIT_MAX_IDS; i++)
-        {
+     
+	add_index = 0;
+	for (i = 1; i < DBE_INIT_MAX_IDS; i++)
+	{
             pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
         }
 
-
         /* Actually connect the window priv to the window. */
         pWin->devPrivates[dbeWindowPrivIndex].ptr = (pointer)pDbeWindowPriv;
 
@@ -537,16 +529,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             pDbeWindowPriv->maxAvailableIDs += DBE_INCR_MAX_IDS;
         }
 
-        /* Finally, record the buffer ID in the array. */
-        pDbeWindowPriv->IDs[i] = stuff->buffer;
-
-        /* Associate the new ID with an existing window priv. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-                         (pointer)pDbeWindowPriv))
-        {
-            pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
-            return(BadAlloc);
-        }
+        add_index = i;
 
     } /* else -- A buffer is already associated with the window. */
 
@@ -555,13 +538,27 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     status = (*pDbeScreenPriv->AllocBackBufferName)(pWin, stuff->buffer,
                                                     stuff->swapAction);
 
-    if ((status != Success) && (pDbeWindowPriv->nBufferIDs == 0))
+    if (status == Success)
     {
+        pDbeWindowPriv->IDs[add_index] = stuff->buffer;
+        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
+                         (pointer)pDbeWindowPriv))
+        {
+            pDbeWindowPriv->IDs[add_index] = DBE_FREE_ID_ELEMENT;
+
+            if (pDbeWindowPriv->nBufferIDs == 0) {
+                status = BadAlloc;
+                goto out_free;
+            }
+        }
+    } else {
         /* The DDX buffer allocation routine failed for the first buffer of
          * this window.
          */
-        xfree(pDbeWindowPriv);
-        return(status);
+
+        if (pDbeWindowPriv->nBufferIDs == 0) {
+            goto out_free;
+        }
     }
 
     /* Increment the number of buffers (XIDs) associated with this window. */
@@ -573,6 +570,11 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
 
     return(status);
 
+out_free:
+    pWin->devPrivates[dbeWindowPrivIndex].ptr = NULL;
+    xfree(pDbeWindowPriv);
+    return(status);    
+
 } /* ProcDbeAllocateBackBufferName() */