glx: Don't create a shared context if the other context isn't the same kind

Each of the DRI, DRI2, and DRISW backends contain code like the
following in their create-context routine:

   if (shareList) {
      pcp_shared = (struct dri2_context *) shareList;
      shared = pcp_shared->driContext;
   }

This assumes that the glx_context *shareList is actually the correct
derived type.  However, if shareList was created as an
indirect-rendering context, it will not be the expected type.  As a
result, shared will contain garbage.  This garbage will be passed to
the driver, and the driver will probably segfault.  This can be
observed with the following GLX code:

    ctx0 = glXCreateContext(dpy, visinfo, NULL, False);
    ctx1 = glXCreateContext(dpy, visinfo, ctx0, True);

Create-context is the only case where this occurs.  All other cases
where a context is passed to the backend, it is the 'this' pointer
(i.e., we got to the backend by call something from ctx->vtable).

To work around this, check that the shareList->vtable->destroy method
is the same as the destroy method of the expected type.  We could also
check that shareList->vtable matches the vtable or by adding a "tag"
to glx_context to identify the derived type.

NOTE: This is a candidate for the 7.11 branch.

Signed-off-by: Ian Romanick <ian.d.romanick@intel.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>

diff --git a/src/glx/dri2_glx.c b/src/glx/dri2_glx.c
index 553869a53f92d13597d2fcaa366333506aaba9c8..f929fddcf65c4ead3f83b9cce56b96e845f89eee 100644 (file)
--- a/src/glx/dri2_glx.c
+++ b/src/glx/dri2_glx.c
@@ -185,6 +185,13 @@ dri2_create_context(struct glx_screen *base,
    __DRIcontext *shared = NULL;
 
    if (shareList) {
+      /* If the shareList context is not a DRI2 context, we cannot possibly
+       * create a DRI2 context that shares it.
+       */
+      if (shareList->vtable->destroy != dri2_destroy_context) {
+        return NULL;
+      }
+
       pcp_shared = (struct dri2_context *) shareList;
       shared = pcp_shared->driContext;
    }

diff --git a/src/glx/dri_glx.c b/src/glx/dri_glx.c
index 666423a7b1577ea6b08c9e5db9e8bbecfb9ac289..9365224a69643e34791fddbc38f22f68e0346a54 100644 (file)
--- a/src/glx/dri_glx.c
+++ b/src/glx/dri_glx.c
@@ -587,6 +587,13 @@ dri_create_context(struct glx_screen *base,
       return NULL;
 
    if (shareList) {
+      /* If the shareList context is not a DRI context, we cannot possibly
+       * create a DRI context that shares it.
+       */
+      if (shareList->vtable->destroy != dri_destroy_context) {
+        return NULL;
+      }
+
       pcp_shared = (struct dri_context *) shareList;
       shared = pcp_shared->driContext;
    }

diff --git a/src/glx/drisw_glx.c b/src/glx/drisw_glx.c
index f6aeda90abb5452f6936a1c2a084272ddd16d808..801ac7d470bc19559f82b010e6f41beb0d996084 100644 (file)
--- a/src/glx/drisw_glx.c
+++ b/src/glx/drisw_glx.c
@@ -383,6 +383,13 @@ drisw_create_context(struct glx_screen *base,
       return NULL;
 
    if (shareList) {
+      /* If the shareList context is not a DRISW context, we cannot possibly
+       * create a DRISW context that shares it.
+       */
+      if (shareList->vtable->destroy != drisw_destroy_context) {
+        return NULL;
+      }
+
       pcp_shared = (struct drisw_context *) shareList;
       shared = pcp_shared->driContext;
    }