From 51cdd3e7812970cb92e65553905a8ffc1118789d Mon Sep 17 00:00:00 2001
From: Minchul Lee <slotus.lee@samsung.com>
Date: Thu, 27 Apr 2017 14:39:31 +0900
Subject: [PATCH] ecore_wayland: free mime types after finish set_selection

When copy operation, device tried to access the mime types
which is already freed. Thus, crash happend. To deliver
them to DATA READY handler, duplicate them and free later.

Change-Id: I9b40a9070d9cc03fb2c3df57586b062d6db8afe6
Signed-off-by: Minchul Lee <slotus.lee@samsung.com>
---
 src/lib/ecore_wayland/ecore_wl_dnd.c | 45 ++++++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/lib/ecore_wayland/ecore_wl_dnd.c b/src/lib/ecore_wayland/ecore_wl_dnd.c
index 39f59f3..b0504c7 100644
--- a/src/lib/ecore_wayland/ecore_wl_dnd.c
+++ b/src/lib/ecore_wayland/ecore_wl_dnd.c
@@ -632,7 +632,10 @@ _ecore_wl_dnd_del(Ecore_Wl_Dnd_Source *source)
           {
              char **t;
              wl_array_for_each(t, &source->types)
-               free(*t);
+               {
+                  free(*t);
+                  *t = NULL;
+               }
           }
         //
         wl_array_release(&source->types);
@@ -797,12 +800,16 @@ _ecore_wl_dnd_selection_data_read(void *data, Ecore_Fd_Handler *fd_handler EINA_
 
    char **types;
    int num = 0;
+   int count = 0;
 
    // TIZEN_ONLY(20161226): To increse buffer size to get very long text to satify html use case.
    //                       It should be changed to allow up to unlimit value to maintain compatibility.
    buffer = malloc(_MAX_SIZE_OF_COPY_DATA);
    if (!buffer)
      {
+        event->done = EINA_FALSE;
+        close(read_source->read_fd);
+        _ecore_wl_dnd_del(source);
         free(event);
         return ECORE_CALLBACK_CANCEL;
      }
@@ -810,6 +817,9 @@ _ecore_wl_dnd_selection_data_read(void *data, Ecore_Fd_Handler *fd_handler EINA_
    len = read(read_source->read_fd, buffer, _MAX_SIZE_OF_COPY_DATA);
    if (len <= 0)
      {
+        event->done = EINA_FALSE;
+        close(read_source->read_fd);
+        _ecore_wl_dnd_del(source);
         free(buffer);
         free(event);
         return ECORE_CALLBACK_CANCEL;
@@ -821,6 +831,9 @@ _ecore_wl_dnd_selection_data_read(void *data, Ecore_Fd_Handler *fd_handler EINA_
      {
         // TIZEN_ONLY(20161226): To increse buffer size to get very long text to satify html use case.
         //                       It should be changed to allow up to unlimit value to maintain compatibility.
+        event->done = EINA_FALSE;
+        close(read_source->read_fd);
+        _ecore_wl_dnd_del(source);
         free(buffer);
         //
         free(event);
@@ -835,9 +848,30 @@ _ecore_wl_dnd_selection_data_read(void *data, Ecore_Fd_Handler *fd_handler EINA_
    event->data[len] = '\0';
 
    num = (source->types.size / sizeof(char *));
-   types = source->types.data;
 
    event->num_types = num;
+
+   types = (char **)calloc(num, sizeof(char *));
+   if (!types)
+     {
+        event->done = EINA_FALSE;
+        close(read_source->read_fd);
+        _ecore_wl_dnd_del(source);
+        free(event->data);
+        free(buffer);
+        free(event);
+        return ECORE_CALLBACK_CANCEL;
+     }
+
+   if (source->types.data)
+     {
+        char **t;
+        wl_array_for_each(t, &source->types)
+          {
+             types[count] = (*t) ? strdup(*t) : NULL;
+             count++;
+          }
+     }
    event->types = types;
    event->len = len;
    event->sel_type = source->sel_type;
@@ -866,7 +900,14 @@ _ecore_wl_dnd_selection_data_ready_cb_free(void *data EINA_UNUSED, void *event)
    if (!(ev = event)) return;
 
    // TIZEN_ONLY(20160707): To distinguish clipboard selection in cbhm
+   int i;
+   char *s;
    if (ev->data) free(ev->data);
+   for (i = 0; i < ev->num_types; i++)
+     {
+        s = ev->types[i];
+        free(s);
+     }
    //
    free(ev);
 }
-- 
2.7.4