From d40b66a8ef98777c69ac293dac9a332f88832c23 Mon Sep 17 00:00:00 2001
From: Gatis Paeglis <gatis.paeglis@theqtcompany.com>
Date: Wed, 7 Jan 2015 14:50:41 +0100
Subject: Fix use-after-free bug

xcb_image_destroy() calls free on m_xcb_image
and then few lines down we access member of
m_xcb_image. Swap order of these two actions.

Change-Id: I01fb43a066459cce462df6af22161c35cef524eb
Task-number: QTBUG-43623
Reviewed-by: Shawn Rutledge <shawn.rutledge@digia.com>
---
 src/plugins/platforms/xcb/qxcbbackingstore.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/plugins/platforms')

diff --git a/src/plugins/platforms/xcb/qxcbbackingstore.cpp b/src/plugins/platforms/xcb/qxcbbackingstore.cpp
index 0b9717759b..f4382c7b50 100644
--- a/src/plugins/platforms/xcb/qxcbbackingstore.cpp
+++ b/src/plugins/platforms/xcb/qxcbbackingstore.cpp
@@ -145,8 +145,6 @@ void QXcbShmImage::destroy()
     if (segmentSize && m_shm_info.shmaddr)
         Q_XCB_CALL(xcb_shm_detach(xcb_connection(), m_shm_info.shmseg));
 
-    xcb_image_destroy(m_xcb_image);
-
     if (segmentSize) {
         if (m_shm_info.shmaddr) {
             shmdt(m_shm_info.shmaddr);
@@ -156,6 +154,8 @@ void QXcbShmImage::destroy()
         }
     }
 
+    xcb_image_destroy(m_xcb_image);
+
     if (m_gc)
         Q_XCB_CALL(xcb_free_gc(xcb_connection(), m_gc));
 }
-- 
cgit v1.2.3