[PATCH weston] exposay: Fix use after free when a view is destroyed during animation

[Derek Foreman]

Moving the destroy listener setup allows the animation completion handler
to be called before we free any structures it needs.

Signed-off-by: Derek Foreman <derekf at osg.samsung.com>
---
 desktop-shell/exposay.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/desktop-shell/exposay.c b/desktop-shell/exposay.c
index 78e45fb..4b03bb7 100644
--- a/desktop-shell/exposay.c
+++ b/desktop-shell/exposay.c
@@ -294,9 +294,6 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output)
 		esurface->eoutput = eoutput;
 		esurface->view = view;
 
-		esurface->view_destroy_listener.notify = handle_view_destroy;
-		wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
-
 		esurface->row = i / eoutput->grid_size;
 		esurface->column = i % eoutput->grid_size;
 
@@ -320,6 +317,15 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output)
 
 		exposay_animate_in(esurface);
 
+		/* We want our destroy handler to be after the animation
+		 * destroy handler in the list, this way when the view is
+		 * destroyed, the animation can safely call the animation
+		 * completion callback before we free the esurface in our
+		 * destroy handler.
+		 */
+		esurface->view_destroy_listener.notify = handle_view_destroy;
+		wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
+
 		i++;
 	}
 
-- 
2.1.4