xwayland: fix some use-after-free in xwm

This commit is contained in:
emersion 2018-02-23 10:20:53 +01:00
parent bd9583a7e8
commit b1e2718dd7
No known key found for this signature in database
GPG key ID: 0FDE7BE0E88F5E48
4 changed files with 25 additions and 7 deletions

View file

@ -14,6 +14,7 @@ struct wlr_compositor {
struct { struct {
struct wl_signal new_surface; struct wl_signal new_surface;
struct wl_signal destroy;
} events; } events;
}; };

View file

@ -93,7 +93,8 @@ struct wlr_xwm {
const xcb_query_extension_reply_t *xfixes; const xcb_query_extension_reply_t *xfixes;
struct wl_listener compositor_surface_create; struct wl_listener compositor_new_surface;
struct wl_listener compositor_destroy;
struct wl_listener seat_selection; struct wl_listener seat_selection;
struct wl_listener seat_primary_selection; struct wl_listener seat_primary_selection;
}; };

View file

@ -90,6 +90,7 @@ void wlr_compositor_destroy(struct wlr_compositor *compositor) {
if (compositor == NULL) { if (compositor == NULL) {
return; return;
} }
wlr_signal_emit_safe(&compositor->events.destroy, compositor);
wl_list_remove(&compositor->display_destroy.link); wl_list_remove(&compositor->display_destroy.link);
wl_global_destroy(compositor->wl_global); wl_global_destroy(compositor->wl_global);
free(compositor); free(compositor);
@ -195,6 +196,7 @@ struct wlr_compositor *wlr_compositor_create(struct wl_display *display,
wl_list_init(&compositor->wl_resources); wl_list_init(&compositor->wl_resources);
wl_list_init(&compositor->surfaces); wl_list_init(&compositor->surfaces);
wl_signal_init(&compositor->events.new_surface); wl_signal_init(&compositor->events.new_surface);
wl_signal_init(&compositor->events.destroy);
compositor->display_destroy.notify = handle_display_destroy; compositor->display_destroy.notify = handle_display_destroy;
wl_display_add_destroy_listener(display, &compositor->display_destroy); wl_display_add_destroy_listener(display, &compositor->display_destroy);

View file

@ -1019,11 +1019,11 @@ static int x11_event_handler(int fd, uint32_t mask, void *data) {
return count; return count;
} }
static void handle_compositor_surface_create(struct wl_listener *listener, static void handle_compositor_new_surface(struct wl_listener *listener,
void *data) { void *data) {
struct wlr_surface *surface = data;
struct wlr_xwm *xwm = struct wlr_xwm *xwm =
wl_container_of(listener, xwm, compositor_surface_create); wl_container_of(listener, xwm, compositor_new_surface);
struct wlr_surface *surface = data;
if (wl_resource_get_client(surface->resource) != xwm->xwayland->client) { if (wl_resource_get_client(surface->resource) != xwm->xwayland->client) {
return; return;
} }
@ -1043,6 +1043,16 @@ static void handle_compositor_surface_create(struct wl_listener *listener,
} }
} }
static void handle_compositor_destroy(struct wl_listener *listener,
void *data) {
struct wlr_xwm *xwm =
wl_container_of(listener, xwm, compositor_destroy);
wl_list_remove(&xwm->compositor_new_surface.link);
wl_list_remove(&xwm->compositor_destroy.link);
wl_list_init(&xwm->compositor_new_surface.link);
wl_list_init(&xwm->compositor_destroy.link);
}
void wlr_xwayland_surface_activate(struct wlr_xwayland_surface *xsurface, void wlr_xwayland_surface_activate(struct wlr_xwayland_surface *xsurface,
bool activated) { bool activated) {
struct wlr_xwayland_surface *focused = xsurface->xwm->focus_surface; struct wlr_xwayland_surface *focused = xsurface->xwm->focus_surface;
@ -1124,7 +1134,8 @@ void xwm_destroy(struct wlr_xwm *xwm) {
wl_list_for_each_safe(xsurface, tmp, &xwm->unpaired_surfaces, link) { wl_list_for_each_safe(xsurface, tmp, &xwm->unpaired_surfaces, link) {
wlr_xwayland_surface_destroy(xsurface); wlr_xwayland_surface_destroy(xsurface);
} }
wl_list_remove(&xwm->compositor_surface_create.link); wl_list_remove(&xwm->compositor_new_surface.link);
wl_list_remove(&xwm->compositor_destroy.link);
xcb_disconnect(xwm->xcb_conn); xcb_disconnect(xwm->xcb_conn);
free(xwm); free(xwm);
@ -1407,9 +1418,12 @@ struct wlr_xwm *xwm_create(struct wlr_xwayland *wlr_xwayland) {
xwm_selection_init(xwm); xwm_selection_init(xwm);
xwm->compositor_surface_create.notify = handle_compositor_surface_create; xwm->compositor_new_surface.notify = handle_compositor_new_surface;
wl_signal_add(&wlr_xwayland->compositor->events.new_surface, wl_signal_add(&wlr_xwayland->compositor->events.new_surface,
&xwm->compositor_surface_create); &xwm->compositor_new_surface);
xwm->compositor_destroy.notify = handle_compositor_destroy;
wl_signal_add(&wlr_xwayland->compositor->events.destroy,
&xwm->compositor_destroy);
xwm_create_wm_window(xwm); xwm_create_wm_window(xwm);