From 4a1c9a19257305abfbf8498a5405fe119049a322 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Mon, 25 Jun 2018 10:30:51 +0900
Subject: [PATCH] xwm: fix use-after-free involving parents/children

Happens when e.g. closing gimp.

==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0
WRITE of size 8 at 0x6150001a7a78 thread T0
    #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55
    #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0)
freed by thread T0 here:
    #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

previously allocated by thread T0 here:
    #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119
    #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706
    #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
---
 xwayland/xwm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xwayland/xwm.c b/xwayland/xwm.c
index b397b1e8..66a85d05 100644
--- a/xwayland/xwm.c
+++ b/xwayland/xwm.c
@@ -294,6 +294,12 @@ static void xwayland_surface_destroy(
 	wl_list_remove(&xsurface->link);
 	wl_list_remove(&xsurface->parent_link);
 
+	struct wlr_xwayland_surface *child, *next;
+	wl_list_for_each_safe(child, next, &xsurface->children, parent_link) {
+		wl_list_remove(&child->parent_link);
+		wl_list_init(&child->parent_link);
+	}
+
 	if (xsurface->surface_id) {
 		wl_list_remove(&xsurface->unpaired_link);
 	}