From a604a0a26791e9f352aad27232127d729bca4334 Mon Sep 17 00:00:00 2001
From: Erik Kurzinger <ekurzinger@nvidia.com>
Date: Thu, 10 Dec 2020 14:24:32 -0800
Subject: [PATCH xserver 26/27] glx: don't create implicit GLXWindow if one
 already exists

If a GLXMakeCurrent request specifies an X window as its drawable,
__glXGetDrawable will implicitly create a GLXWindow for it. However,
the client may have already explicitly created a GLXWindow for that X
window. If that happens, two __glXDrawableRes resources will be added
to the window.

If the explicitly-created GLXWindow is later destroyed by the client,
DrawableGone will call FreeResourceByType on the X window, but this
will actually free the resource for the implicitly-created GLXWindow,
since that one would be at the head of the list.

Then if the X window is destroyed after that, the resource for the
explicitly-created GLXWindow will be freed. But that GLXWindow was
already destroyed above. This crashes the server when it tries to call
the destroyed GLXWindow's destructor. It also means the
implicitly-created GLXWindow would have been leaked since the
FreeResourceByType call mentioned above skips calling the destructor.

To fix this, if __glXGetDrawable is given an X window, it should check
if there is already a GLXWindow associated with it, and only create an
implicit one if there is not.

Signed-off-by: Erik Kurzinger <ekurzinger@nvidia.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit b7a85e44da91d1663d5b4eabac06327c92a80f91)
---
 glx/glxcmds.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 37576b6ef..1b9ad6d14 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -487,8 +487,15 @@ __glXGetDrawable(__GLXcontext * glxc, GLXDrawable drawId, ClientPtr client,
     __GLXscreen *pGlxScreen;
     int rc;
 
-    if (validGlxDrawable(client, drawId, GLX_DRAWABLE_ANY,
-                         DixWriteAccess, &pGlxDraw, &rc)) {
+    rc = dixLookupResourceByType((void **)&pGlxDraw, drawId,
+                                 __glXDrawableRes, client, DixWriteAccess);
+    if (rc == Success &&
+        /* If pGlxDraw->drawId == drawId, drawId is a valid GLX drawable.
+         * Otherwise, if pGlxDraw->type == GLX_DRAWABLE_WINDOW, drawId is
+         * an X window, but the client has already created a GLXWindow
+         * associated with it, so we don't want to create another one. */
+        (pGlxDraw->drawId == drawId ||
+         pGlxDraw->type == GLX_DRAWABLE_WINDOW)) {
         if (glxc != NULL &&
             glxc->config != NULL &&
             glxc->config != pGlxDraw->config) {
-- 
2.31.1