[PATCH weston] exposay: Fix use after free when a view is destroyed during animation
Pekka Paalanen
ppaalanen at gmail.com
Fri May 29 02:06:04 PDT 2015
On Tue, 26 May 2015 16:21:05 -0500
Derek Foreman <derekf at osg.samsung.com> wrote:
> Moving the destroy listener setup allows the animation completion handler
> to be called before we free any structures it needs.
>
> Signed-off-by: Derek Foreman <derekf at osg.samsung.com>
> ---
> desktop-shell/exposay.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/desktop-shell/exposay.c b/desktop-shell/exposay.c
> index 78e45fb..4b03bb7 100644
> --- a/desktop-shell/exposay.c
> +++ b/desktop-shell/exposay.c
> @@ -294,9 +294,6 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output)
> esurface->eoutput = eoutput;
> esurface->view = view;
>
> - esurface->view_destroy_listener.notify = handle_view_destroy;
> - wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
> -
> esurface->row = i / eoutput->grid_size;
> esurface->column = i % eoutput->grid_size;
>
> @@ -320,6 +317,15 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output)
>
> exposay_animate_in(esurface);
>
> + /* We want our destroy handler to be after the animation
> + * destroy handler in the list, this way when the view is
> + * destroyed, the animation can safely call the animation
> + * completion callback before we free the esurface in our
> + * destroy handler.
> + */
> + esurface->view_destroy_listener.notify = handle_view_destroy;
> + wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
> +
> i++;
> }
>
Mm, subtle. But I see nothing wrong per se, so Acked-by me.
Thanks,
pq
More information about the wayland-devel
mailing list