From: Changyeon Lee Date: Thu, 8 Sep 2022 06:15:45 +0000 (+0900) Subject: ecore_wl2_tbmsurface: fix use after free of tbm_surface_queue X-Git-Tag: accepted/tizen/unified/20220914.085451^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F37%2F281037%2F1;p=platform%2Fupstream%2Fefl.git ecore_wl2_tbmsurface: fix use after free of tbm_surface_queue delete user data of queue in tbm_surface when tbm_surface_queue is deleted. Change-Id: Ia0e35959b93e19af4ab5f203c705a58840006692 --- diff --git a/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c b/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c index b2aba75..a539818 100755 --- a/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c +++ b/src/lib/ecore_wl2/ecore_wl2_tbmsurface.c @@ -371,6 +371,9 @@ _evas_tbmbuf_surface_destroy(Ecore_Wl2_Surface *surface, void *priv_data) { Ecore_Wl2_Buffer *surf = NULL; Ecore_Wl2_Tbmbuf_Private *p = priv_data; + int i, num_surface = 0; + tbm_surface_h *surfaces; + if (!surface) return; if (!p) return; @@ -379,10 +382,20 @@ _evas_tbmbuf_surface_destroy(Ecore_Wl2_Surface *surface, void *priv_data) { if (surf->tbm_queue && tbm_queue_ref == 0) { - if (surf->tbm_surface) - tbm_surface_internal_set_user_data(surf->tbm_surface, KEY_WINDOW, NULL); - tbm_surface_queue_destroy(surf->tbm_queue); - surf->tbm_queue = NULL; + tbm_surface_queue_get_surfaces(surf->tbm_queue, NULL, &num_surface); + if (num_surface) + { + surfaces = calloc(num_surface, sizeof(*surfaces)); + if (surfaces) + { + tbm_surface_queue_get_surfaces(surf->tbm_queue, surfaces, &num_surface); + for (i = 0; i < num_surface; i++) + tbm_surface_internal_set_user_data(surfaces[i], KEY_WINDOW, NULL); + free(surfaces); + } + } + tbm_surface_queue_destroy(surf->tbm_queue); + surf->tbm_queue = NULL; } if (tbm_queue_ref) --tbm_queue_ref;