From b2bd27050f3570a8354a8927193aa56f1ff2c792 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 20 Apr 2022 15:45:55 +0900 Subject: [PATCH] xdg_shell: Destroy ds_xdg_surfaces when cleaning up client This patch fixes memory corruption caused by removing ds_xdg_surfaces's link in destroy_xdg_surface(). When wl_client is destroyed, ds_xdg_shell_client can be destroyed before its own ds_xdg_surfaces. This led to memory corruption because of illegal access to a freed memory when trying to remove list of ds_xdg_surface.link. Change-Id: I40fa5c1121c86f0674d7df81643e9805594e9dae --- src/libds/xdg_shell/xdg_shell.c | 4 ++++ src/libds/xdg_shell/xdg_shell.h | 2 ++ 2 files changed, 6 insertions(+) diff --git a/src/libds/xdg_shell/xdg_shell.c b/src/libds/xdg_shell/xdg_shell.c index a53684a..0b5252c 100644 --- a/src/libds/xdg_shell/xdg_shell.c +++ b/src/libds/xdg_shell/xdg_shell.c @@ -140,9 +140,13 @@ static void xdg_client_handle_resource_destroy(struct wl_resource *resource) { struct ds_xdg_client *client; + struct ds_xdg_surface *surface, *tmp; client = wl_resource_get_user_data(resource); + wl_list_for_each_safe(surface, tmp, &client->surfaces, link) + destroy_xdg_surface(surface); + if (client->ping_timer != NULL) wl_event_source_remove(client->ping_timer); diff --git a/src/libds/xdg_shell/xdg_shell.h b/src/libds/xdg_shell/xdg_shell.h index ea67be7..dc50d37 100644 --- a/src/libds/xdg_shell/xdg_shell.h +++ b/src/libds/xdg_shell/xdg_shell.h @@ -168,6 +168,8 @@ struct ds_xdg_surface * create_xdg_surface(struct ds_xdg_client *client, struct ds_surface *surface, uint32_t id); +void destroy_xdg_surface(struct ds_xdg_surface *surface); + void reset_xdg_surface(struct ds_xdg_surface *surface); -- 2.7.4