[PATCH] Partially revert "xwayland: Always free reply from xcb_get_property_reply()"
Derek Foreman
derekf at osg.samsung.com
Wed Jul 15 13:19:35 PDT 2015
Reviewed-By: Derek Foreman <derekf at osg.samsung.com>
On 15/07/15 03:19 PM, Emmanuel Gil Peyrot wrote:
> This reverts commit d3553c721c0fed07f85b70fea418ca65ed974fbb.
>
> weston_wm_write_property() takes the ownership of the reply it gets as
> a parameter, and will eventually free it later in writable_callback.
>
> This change introduced a double-free when Xwayland programs triggered a
> copy to the clipboard, leading to a Weston crash.
> ---
> xwayland/selection.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/xwayland/selection.c b/xwayland/selection.c
> index 452cd69..25ec848 100644
> --- a/xwayland/selection.c
> +++ b/xwayland/selection.c
> @@ -117,13 +117,14 @@ weston_wm_get_incr_chunk(struct weston_wm *wm)
> dump_property(wm, wm->atom.wl_selection, reply);
>
> if (xcb_get_property_value_length(reply) > 0) {
> + /* reply's ownership is transfered to wm, which is responsible
> + * for freeing it */
> weston_wm_write_property(wm, reply);
> } else {
> weston_log("transfer complete\n");
> close(wm->data_source_fd);
> + free(reply);
> }
> -
> - free(reply);
> }
>
> struct x11_data_source {
> @@ -247,12 +248,13 @@ weston_wm_get_selection_data(struct weston_wm *wm)
> return;
> } else if (reply->type == wm->atom.incr) {
> wm->incr = 1;
> + free(reply);
> } else {
> wm->incr = 0;
> + /* reply's ownership is transfered to wm, which is responsible
> + * for freeing it */
> weston_wm_write_property(wm, reply);
> }
> -
> - free(reply);
> }
>
> static void
>
More information about the wayland-devel
mailing list