When something goes wrong during weston initialization,
weston_compositor_destroy() is executed. It destroys the backend and
then frees compositor memory. Unfortunately RDP backend is not correctly
destroyed. It frees compositor instead of a backend memory. This causes
later a double free error. The easiest way to reproduce a problem is to
run weston with an invalid option.
Additionally some other objects of rdp_backend structure are not
destroyed/freed. The patch fixes both issues.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=91457
v3: comply with Weston coding style, this time for real
v2: comply with Weston coding style
Signed-off-by: Dawid Gajownik <gajownik@gmail.com>
Reviewed-by: David FORT <contact@hardening-consulting.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
static void
rdp_destroy(struct weston_compositor *ec)
{
+ struct rdp_backend *b = (struct rdp_backend *) ec->backend;
+ int i;
+
weston_compositor_shutdown(ec);
+ for (i = 0; i < MAX_FREERDP_FDS; i++)
+ if (b->listener_events[i])
+ wl_event_source_remove(b->listener_events[i]);
+
+ freerdp_listener_free(b->listener);
- free(ec);
+ free(b->server_cert);
+ free(b->server_key);
+ free(b->rdp_key);
+ free(b);
}
static
projects / platform / upstream / weston.git / commitdiff