xdg_shell: Destroy ds_xdg_surfaces when cleaning up client

This patch fixes memory corruption caused by removing
ds_xdg_surfaces's link in destroy_xdg_surface().

When wl_client is destroyed, ds_xdg_shell_client can be destroyed
before its own ds_xdg_surfaces. This led to memory corruption because of
illegal access to a freed memory when trying to remove list of
ds_xdg_surface.link.

Change-Id: I40fa5c1121c86f0674d7df81643e9805594e9dae

diff --git a/src/libds/xdg_shell/xdg_shell.c b/src/libds/xdg_shell/xdg_shell.c
index a53684a..0b5252c 100644 (file)
--- a/src/libds/xdg_shell/xdg_shell.c
+++ b/src/libds/xdg_shell/xdg_shell.c
@@ -140,9 +140,13 @@ static void
 xdg_client_handle_resource_destroy(struct wl_resource *resource)
 {
     struct ds_xdg_client *client;
+    struct ds_xdg_surface *surface, *tmp;
 
     client = wl_resource_get_user_data(resource);
 
+    wl_list_for_each_safe(surface, tmp, &client->surfaces, link)
+        destroy_xdg_surface(surface);
+
     if (client->ping_timer != NULL)
         wl_event_source_remove(client->ping_timer);
 

diff --git a/src/libds/xdg_shell/xdg_shell.h b/src/libds/xdg_shell/xdg_shell.h
index ea67be7..dc50d37 100644 (file)
--- a/src/libds/xdg_shell/xdg_shell.h
+++ b/src/libds/xdg_shell/xdg_shell.h
@@ -168,6 +168,8 @@ struct ds_xdg_surface *
 create_xdg_surface(struct ds_xdg_client *client, struct ds_surface *surface,
         uint32_t id);
 
+void destroy_xdg_surface(struct ds_xdg_surface *surface);
+
 void
 reset_xdg_surface(struct ds_xdg_surface *surface);