<div dir="ltr">Hi Daniel,<br><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 18, 2018 at 12:22 PM, Daniel Stone <span dir="ltr"><<a href="mailto:daniel@fooishbar.org" target="_blank">daniel@fooishbar.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
</span>Odd; how could we have a realized 0x0 window which also has damage? I<br></blockquote><div><br></div><div>Hehe, yeap, I had the same question, but didn't find the answer... :)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
wonder if this isn't actually a UAF where the xwl_window has since<br>
been unrealized, in which case you should be able to reproduce pretty<br>
easily by causing damage on a window and then immediately destroying<br>
it. In that case, we just need<br>
wl_list_remove(&xwl_window-><wbr>link_damage) inside<br>
xwl_window_unrealize().<br></blockquote></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">But we do already do an “xorg_list_del(&xwl_window->link_damage);” in xwl_window_unrealize()</div><div class="gmail_extra"><br></div><div class="gmail_extra">However, we do that only if xwl_window is a thing and the damage region is not empty:<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><a href="https://cgit.freedesktop.org/xorg/xserver/tree/hw/xwayland/xwayland.c#n583">https://cgit.freedesktop.org/xorg/xserver/tree/hw/xwayland/xwayland.c#n583</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">Weird...</div><div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Olivier<br></div></div></div>