input: fix use-after-free issue at pointer_cancel

If the constraint is an one-shot constraint, constraint
is freed in disable_pointer_constraint function.
Therefore, we should not try to read freed memory at
"switch (constraint->lifetime)" statement.

The removed code is anyway superfluous. Because
surface destroy signal is only removed, when constraint
is an one-shot constraint.

(Found by clang source code analyzer)

Signed-off-by: Emre Ucan <eucan@de.adit-jv.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>

diff --git a/libweston/input.c b/libweston/input.c
index 3e91c266a09c0dec72b0cb0fc9af3e8fb7fd835a..a9d21cb518b71e35f6b830a823c47d465d8e80f4 100644 (file)
--- a/libweston/input.c
+++ b/libweston/input.c
@@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
                container_of(grab, struct weston_pointer_constraint, grab);
 
        disable_pointer_constraint(constraint);
-
-       /* If this is a persistent constraint, re-add the surface destroy signal
-        * listener only if we are currently not destroying the surface. */
-       switch (constraint->lifetime) {
-       case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
-               if (constraint->surface->resource)
-                       wl_signal_add(&constraint->surface->destroy_signal,
-                                     &constraint->surface_destroy_listener);
-               break;
-       case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
-               break;
-       }
 }
 
 static const struct weston_pointer_grab_interface