e_hwc_windows: fix accessing e_hwc_window after it is freed

e_hwc_window can be freed in _e_hwc_windows_changes_update
in case of queue_buffer is released in e_hwc_window_buffer_fetch.

for preventing e_hwc_window is freed, e_hwc_window is referenced
when it is updated.

Change-Id: I0963c9ebedc0b64b7b03b75b402ece31797a1e9f

diff --git a/src/bin/e_hwc_windows.c b/src/bin/e_hwc_windows.c
index c9bccb1..e519ff6 100644 (file)
--- a/src/bin/e_hwc_windows.c
+++ b/src/bin/e_hwc_windows.c
@@ -2639,7 +2639,7 @@ _e_hwc_windows_changes_update(E_Hwc *hwc)
 {
    E_Hwc_Window *hwc_window = NULL;
    Eina_Bool update_changes = EINA_FALSE;
-   const Eina_List *l;
+   const Eina_List *l, *ll;
 
    if (hwc->property_changed)
      {
@@ -2655,10 +2655,12 @@ _e_hwc_windows_changes_update(E_Hwc *hwc)
    if (_e_hwc_windows_device_state_available_update(hwc))
      update_changes = EINA_TRUE;
 
-   EINA_LIST_FOREACH(hwc->hwc_windows, l, hwc_window)
+   EINA_LIST_FOREACH_SAFE(hwc->hwc_windows, l, ll, hwc_window)
      {
         if (e_hwc_window_is_target(hwc_window)) continue;
 
+        e_hwc_window_ref(hwc_window);
+
         /* fetch the window buffer */
         if (e_hwc_window_buffer_fetch(hwc_window))
           update_changes = EINA_TRUE;
@@ -2682,6 +2684,8 @@ _e_hwc_windows_changes_update(E_Hwc *hwc)
 
         if (e_hwc_window_device_state_available_update(hwc_window))
           update_changes = EINA_TRUE;
+
+        e_hwc_window_unref(hwc_window);
      }
 
    if (hwc->primary_output)