From eacb4cf6d290ba197be1ce6070cba172213e1fc4 Mon Sep 17 00:00:00 2001 From: "Brian J. Tarricone" Date: Wed, 27 Sep 2023 23:54:51 -0700 Subject: [PATCH] Fix possible crash in server-decoration when surface destroyed If the underlying surface is destroyed, but the client has not yet destroyed the server decoration object, and then tries to call request_mode() on it, the compositor will crash, because the wlr_server_decoration struct has been freed, and the wl_resource's user_data member has been NULLed out. Yes, this is certainly an error for the client to do that, but I shouldn't be able to write a buggy (or malicious) Wayland app that can take down the entire compositor. --- types/wlr_server_decoration.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/wlr_server_decoration.c b/types/wlr_server_decoration.c index 425230ec..3cf19c2f 100644 --- a/types/wlr_server_decoration.c +++ b/types/wlr_server_decoration.c @@ -24,7 +24,7 @@ static void server_decoration_handle_request_mode(struct wl_client *client, struct wl_resource *resource, uint32_t mode) { struct wlr_server_decoration *decoration = decoration_from_resource(resource); - if (decoration->mode == mode) { + if (decoration == NULL || decoration->mode == mode) { return; } decoration->mode = mode;