[PATCH weston 4/7] input: fix use-after-free issue at pointer_cancel

[Emre Ucan]

If the constraint is an one-shot constraint, constraint
is freed in disable_pointer_constraint function.
Therefore, we should not try to read freed memory at
"switch (constraint->lifetime)" statement.

The removed code is anyway superfluous. Because
surface destroy signal is only removed, when constraint
is an one-shot constraint.

(Found by clang source code analyzer)

Signed-off-by: Emre Ucan <eucan at de.adit-jv.com>
---
 libweston/input.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/libweston/input.c b/libweston/input.c
index 3e91c26..a9d21cb 100644
--- a/libweston/input.c
+++ b/libweston/input.c
@@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
 		container_of(grab, struct weston_pointer_constraint, grab);
 
 	disable_pointer_constraint(constraint);
-
-	/* If this is a persistent constraint, re-add the surface destroy signal
-	 * listener only if we are currently not destroying the surface. */
-	switch (constraint->lifetime) {
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
-		if (constraint->surface->resource)
-			wl_signal_add(&constraint->surface->destroy_signal,
-				      &constraint->surface_destroy_listener);
-		break;
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
-		break;
-	}
 }
 
 static const struct weston_pointer_grab_interface
-- 
2.7.4