e_hwc_windows: fix use after free of e_hwc_window

if queue buffer is released when hwc_window of client fetch buffer,
hwc_window can be freed while hwc_windows list is iterated
in _e_hwc_windows_changes_update.
it ouccur that hwc_window is used after freed.
for fixing it, we reference e_hwc_widnow before hwc_windows list is iterated
and it makes prevent hwc_windows is freed in e_hwc_window_buffer_fetch.

Change-Id: I90d656bc6380b4fe69d5a75f88a7dfe55c21cc8d

diff --git a/src/bin/e_hwc_windows.c b/src/bin/e_hwc_windows.c
index 4627f6d..b0814ee 100644 (file)
--- a/src/bin/e_hwc_windows.c
+++ b/src/bin/e_hwc_windows.c
@@ -2723,6 +2723,11 @@ _e_hwc_windows_changes_update(E_Hwc *hwc)
         if (e_hwc_window_is_target(hwc_window)) continue;
 
         e_hwc_window_ref(hwc_window);
+     }
+
+   EINA_LIST_FOREACH_SAFE(hwc->hwc_windows, l, ll, hwc_window)
+     {
+        if (e_hwc_window_is_target(hwc_window)) continue;
 
         /* fetch the window buffer */
         if (e_hwc_window_buffer_fetch(hwc_window))
@@ -2747,6 +2752,11 @@ _e_hwc_windows_changes_update(E_Hwc *hwc)
 
         if (e_hwc_window_device_state_available_update(hwc_window))
           update_changes = EINA_TRUE;
+     }
+
+   EINA_LIST_FOREACH_SAFE(hwc->hwc_windows, l, ll, hwc_window)
+     {
+        if (e_hwc_window_is_target(hwc_window)) continue;
 
         e_hwc_window_unref(hwc_window);
      }