From 54a963608d23d35cd9233b2223f880ac3671f10b Mon Sep 17 00:00:00 2001
From: Jamey Sharp <jamey@minilop.net>
Date: Fri, 06 Aug 2010 22:51:56 +0000
Subject: Fix use-after-free in _XReply on X errors.

_XReply would always call dequeue_pending_request on errors.  When it
got an error for the current request, it would call dequeue, then break
out of the loop; then, if it had an error in the event queue, it would
compare it with the sequence number of the now-freed pending request.
_XReply already stored that sequence number in dpy->last_request_read
before freeing it, so look at that instead.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412

Signed-off-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
(cherry picked from commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18)
---
diff --git a/src/xcb_io.c b/src/xcb_io.c
index dac7622..72881d8 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -579,7 +579,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard)
 		xcb_generic_event_t *event = dpy->xcb->next_event;
 		unsigned long event_sequence = dpy->last_request_read;
 		widen(&event_sequence, event->full_sequence);
-		if(event_sequence == current->sequence)
+		if(event_sequence == dpy->last_request_read)
 		{
 			error = (xcb_generic_error_t *) event;
 			dpy->xcb->next_event = NULL;
--
cgit v0.8.3-6-g21f6