From: Loïc Yhuel <loic.yhuel@softathome.com>
Date: Tue, 17 Sep 2019 18:14:56 +0000 (+0200)
Subject: libweston: fix possible crash after a view is removed the layer
X-Git-Tag: upstream/9.0.0~355
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=267b16e8f44133aa2fc09a93a73c04f47287fbea;p=platform%2Fupstream%2Fweston.git

libweston: fix possible crash after a view is removed the layer

weston_compositor_build_view_list can reconstruct the view_list without a view which was
previously in it. The existing pointers in view->link are left unchanged, which could
lead to corruption or access to released memory in wl_list_remove, depending of the
order of destruction of the views.

This can happen at least with the black view created by the desktop shell for fullscreen
surfaces, when it is hidden in lower_fullscreen_layer.

Signed-off-by: Loïc Yhuel <loic.yhuel@softathome.com>
---

diff --git a/libweston/compositor.c b/libweston/compositor.c
index f7263649..63f3880c 100644
--- a/libweston/compositor.c
+++ b/libweston/compositor.c
@@ -2569,14 +2569,17 @@ view_list_add(struct weston_compositor *compositor,
 static void
 weston_compositor_build_view_list(struct weston_compositor *compositor)
 {
-	struct weston_view *view;
+	struct weston_view *view, *tmp;
 	struct weston_layer *layer;
 
 	wl_list_for_each(layer, &compositor->layer_list, link)
 		wl_list_for_each(view, &layer->view_list.link, layer_link.link)
 			surface_stash_subsurface_views(view->surface);
 
+	wl_list_for_each_safe(view, tmp, &compositor->view_list, link)
+		wl_list_init(&view->link);
 	wl_list_init(&compositor->view_list);
+
 	wl_list_for_each(layer, &compositor->layer_list, link) {
 		wl_list_for_each(view, &layer->view_list.link, layer_link.link) {
 			view_list_add(compositor, view);