From 58bb49a00b5608705107c993c49a5a67e74fb93d Mon Sep 17 00:00:00 2001
From: Kirill Primak <vyivel@eclair.cafe>
Date: Wed, 17 Jan 2024 02:22:21 +0300
Subject: [PATCH] security-context-v1: fix possible leaks on wl_client_create()
 and state copying errors

---
 types/wlr_security_context_v1.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/types/wlr_security_context_v1.c b/types/wlr_security_context_v1.c
index c675e9b8..ce7def5c 100644
--- a/types/wlr_security_context_v1.c
+++ b/types/wlr_security_context_v1.c
@@ -100,13 +100,18 @@ static void security_context_destroy(
 	free(security_context);
 }
 
+static void security_context_client_destroy(
+		struct wlr_security_context_v1_client *security_context_client) {
+	wl_list_remove(&security_context_client->destroy.link);
+	security_context_state_finish(&security_context_client->state);
+	free(security_context_client);
+}
+
 static void security_context_client_handle_destroy(struct wl_listener *listener,
 		void *data) {
 	struct wlr_security_context_v1_client *security_context_client =
 		wl_container_of(listener, security_context_client, destroy);
-	wl_list_remove(&security_context_client->destroy.link);
-	security_context_state_finish(&security_context_client->state);
-	free(security_context_client);
+	security_context_client_destroy(security_context_client);
 }
 
 static int security_context_handle_listen_fd_event(int listen_fd, uint32_t mask,
@@ -139,17 +144,19 @@ static int security_context_handle_listen_fd_event(int listen_fd, uint32_t mask,
 		if (client == NULL) {
 			wlr_log(WLR_ERROR, "wl_client_create failed");
 			close(client_fd);
-			return 0;
-		}
-
-		if (!security_context_state_copy(&security_context_client->state,
-				&security_context->state)) {
-			wl_client_post_no_memory(client);
+			free(security_context_client);
 			return 0;
 		}
 
 		security_context_client->destroy.notify = security_context_client_handle_destroy;
 		wl_client_add_destroy_listener(client, &security_context_client->destroy);
+
+		if (!security_context_state_copy(&security_context_client->state,
+				&security_context->state)) {
+			security_context_client_destroy(security_context_client);
+			wl_client_post_no_memory(client);
+			return 0;
+		}
 	}
 
 	return 0;