[PATCH] server: Fix crash when accessing client which is already freed
Hyunkook Khang
hyunkook.khang at lge.com
Wed Sep 21 07:08:41 UTC 2016
While processing pending data, client could be destroyed in the middle of
the process. (e.g. by invoking wl_display_flush_clients()).
In this case, client will be freed, but we are still in the processing data
of the client, so it could cause a crash.
To avoid this, instead of destroying the client directly,
just set the error here and destroy the client where it needs to be.
Signed-off-by: Hyunkook Khang <hyunkook.khang at lge.com>
---
src/wayland-server.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/wayland-server.c b/src/wayland-server.c
index 9d7d9c1..89d0bac 100644
--- a/src/wayland-server.c
+++ b/src/wayland-server.c
@@ -1103,10 +1103,16 @@ wl_display_terminate(struct wl_display *display)
WL_EXPORT void
wl_display_run(struct wl_display *display)
{
+ struct wl_client *client, *next;
+
display->run = 1;
while (display->run) {
wl_display_flush_clients(display);
+ wl_list_for_each_safe(client, next, &display->client_list, link) {
+ if (client->error)
+ wl_client_destroy(client);
+ }
wl_event_loop_dispatch(display->loop, -1);
}
}
@@ -1124,7 +1130,7 @@ wl_display_flush_clients(struct wl_display *display)
WL_EVENT_WRITABLE |
WL_EVENT_READABLE);
} else if (ret < 0) {
- wl_client_destroy(client);
+ client->error = 1;
}
}
}
--
1.7.9.5
More information about the wayland-devel
mailing list