ecore_wl2_tbmsurface: fix use after free of tbm_surface_queue

delete user data of queue in tbm_surface when tbm_surface_queue is deleted.

Change-Id: Ia0e35959b93e19af4ab5f203c705a58840006692

diff --git a/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c b/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c
index b2aba75..a539818 100755 (executable)
--- a/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c
+++ b/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c
@@ -371,6 +371,9 @@ _evas_tbmbuf_surface_destroy(Ecore_Wl2_Surface *surface, void *priv_data)
 {
   Ecore_Wl2_Buffer *surf = NULL;
   Ecore_Wl2_Tbmbuf_Private *p = priv_data;
+  int i, num_surface = 0;
+  tbm_surface_h *surfaces;
+
   if (!surface) return;
   if (!p) return;
 
@@ -379,10 +382,20 @@ _evas_tbmbuf_surface_destroy(Ecore_Wl2_Surface *surface, void *priv_data)
     {
       if (surf->tbm_queue && tbm_queue_ref == 0)
         {
-          if (surf->tbm_surface)
-            tbm_surface_internal_set_user_data(surf->tbm_surface, KEY_WINDOW, NULL);
-          tbm_surface_queue_destroy(surf->tbm_queue);
-          surf->tbm_queue = NULL;
+           tbm_surface_queue_get_surfaces(surf->tbm_queue, NULL, &num_surface);
+           if (num_surface)
+             {
+                surfaces = calloc(num_surface, sizeof(*surfaces));
+                if (surfaces)
+                  {
+                     tbm_surface_queue_get_surfaces(surf->tbm_queue, surfaces, &num_surface);
+                     for (i = 0; i < num_surface; i++)
+                       tbm_surface_internal_set_user_data(surfaces[i], KEY_WINDOW, NULL);
+                     free(surfaces);
+                  }
+             }
+           tbm_surface_queue_destroy(surf->tbm_queue);
+           surf->tbm_queue = NULL;
         }
       if (tbm_queue_ref)
         --tbm_queue_ref;