[PATCH weston 4/7] input: fix use-after-free issue at pointer_cancel
Pekka Paalanen
ppaalanen at gmail.com
Wed Mar 28 10:18:10 UTC 2018
On Tue, 20 Mar 2018 15:28:24 +0100
Emre Ucan <eucan at de.adit-jv.com> wrote:
> If the constraint is an one-shot constraint, constraint
> is freed in disable_pointer_constraint function.
> Therefore, we should not try to read freed memory at
> "switch (constraint->lifetime)" statement.
>
> The removed code is anyway superfluous. Because
> surface destroy signal is only removed, when constraint
> is an one-shot constraint.
Not only superfluous, but it would corrupt the destroy listener list if
re-added. A nice find.
Thanks,
pq
> (Found by clang source code analyzer)
>
> Signed-off-by: Emre Ucan <eucan at de.adit-jv.com>
> ---
> libweston/input.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/libweston/input.c b/libweston/input.c
> index 3e91c26..a9d21cb 100644
> --- a/libweston/input.c
> +++ b/libweston/input.c
> @@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
> container_of(grab, struct weston_pointer_constraint, grab);
>
> disable_pointer_constraint(constraint);
> -
> - /* If this is a persistent constraint, re-add the surface destroy signal
> - * listener only if we are currently not destroying the surface. */
> - switch (constraint->lifetime) {
> - case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
> - if (constraint->surface->resource)
> - wl_signal_add(&constraint->surface->destroy_signal,
> - &constraint->surface_destroy_listener);
> - break;
> - case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
> - break;
> - }
> }
>
> static const struct weston_pointer_grab_interface
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20180328/34702e8e/attachment.sig>
More information about the wayland-devel
mailing list