[PATCH] wayland: Destroy frame callback when destroying surface

Jonas Ådahl jadahl at gmail.com
Sat Oct 27 15:50:12 PDT 2012


If a frame callback is not destroyed when destroying a surface, its
handler function will be invoked if the surface was destroyed after the
callback was requested but before it was invoked, causing a write on
free:ed memory.

This can happen if eglDestroySurface() is called shortly after
eglSwapBuffers().
---

Hi,

This a one part of a two-part fix. Further explanation can be found here:
http://lists.freedesktop.org/archives/wayland-devel/2012-October/006021.html

Jonas

 src/egl/drivers/dri2/platform_wayland.c                 |    3 +++
 src/gallium/state_trackers/egl/wayland/native_wayland.c |    3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/egl/drivers/dri2/platform_wayland.c b/src/egl/drivers/dri2/platform_wayland.c
index 9153ef9..1c0ab38 100644
--- a/src/egl/drivers/dri2/platform_wayland.c
+++ b/src/egl/drivers/dri2/platform_wayland.c
@@ -213,6 +213,9 @@ dri2_destroy_surface(_EGLDriver *drv, _EGLDisplay *disp, _EGLSurface *surf)
                                     dri2_surf->third_buffer);
    }
 
+   if (dri2_surf->frame_callback)
+	   wl_callback_destroy(dri2_surf->frame_callback);
+
    free(surf);
 
    return EGL_TRUE;
diff --git a/src/gallium/state_trackers/egl/wayland/native_wayland.c b/src/gallium/state_trackers/egl/wayland/native_wayland.c
index 62c87f3..560e40d 100644
--- a/src/gallium/state_trackers/egl/wayland/native_wayland.c
+++ b/src/gallium/state_trackers/egl/wayland/native_wayland.c
@@ -355,6 +355,9 @@ wayland_surface_destroy(struct native_surface *nsurf)
          wl_buffer_destroy(surface->buffer[buffer]);
    }
 
+   if (surface->frame_callback)
+      wl_callback_destroy(surface->frame_callback);
+
    resource_surface_destroy(surface->rsurf);
    FREE(surface);
 }
-- 
1.7.10.4



More information about the wayland-devel mailing list