Memory access to already-free'd region in wlr_scene.c
Noticed that valgind reports an invalid read for an already-free'd address in wlr_scene_set_buffer().
This happens in the following scenario:
- wlr_scene_buffer was initialized with a wlr_buffer, and wlr_scene_buffer holds the only lock on that wlr_buffer.
- call wlr_scene_buffer_set_buffer, with a (new and different) wlr_buffer.
- This will call wlr_buffer_unlock on the earlier-held buffer.
- A bit further below, there is a check on the buffer sizes, which accesses the just-unlocked buffer [2], on
scene_buffer->buffer->width
andscene_buffer->buffer->height
.
This was reported by a valgrind run on my box [3] , with today's sync-to-HEAD from wlroots.
Temporarily storing the (previous) buffer's dimensions prevents that issue.
- [1] https://gitlab.freedesktop.org/wlroots/wlroots/-/blob/master/types/scene/wlr_scene.c#L605
- [2] https://gitlab.freedesktop.org/wlroots/wlroots/-/blob/master/types/scene/wlr_scene.c#L616
- [3] Valgrind log:
==9973== Invalid read of size 4
==9973== at 0x4A23F1B: wlr_scene_buffer_set_buffer_with_damage (wlr_scene.c:616)
==9973== by 0x4A245C8: wlr_scene_buffer_set_buffer (wlr_scene.c:724)
==9973== by 0x11EDE5: handle_task_list_enabled (task_list.c:346)
==9973== by 0x118E0C: wl_signal_emit (wayland-server-core.h:496)
==9973== by 0x1190BE: handle_key (keyboard.c:132)
==9973== by 0x49C17FB: wl_signal_emit_mutable (wayland-server.c:2241)
==9973== by 0x4A474F1: wlr_keyboard_notify_key (wlr_keyboard.c:102)
==9973== by 0x4A0BBC6: send_key_event (input_device.c:28)
==9973== by 0x4A0C05E: handle_x11_xinput_event (input_device.c:133)
==9973== by 0x4A0A203: handle_x11_event (backend.c:106)
==9973== by 0x4A0A30C: x11_event (backend.c:141)
==9973== by 0x49C3681: wl_event_loop_dispatch (event-loop.c:1027)
==9973== Address 0x278ae548 is 8 bytes inside a block of size 120 free'd
==9973== at 0x48399AB: free (vg_replace_malloc.c:538)
==9973== by 0x110F1B: wlr_buffer_impl_destroy (cairo_buffer.c:163)
==9973== by 0x4A37A98: buffer_consider_destroy (buffer.c:33)
==9973== by 0x4A37B9A: wlr_buffer_unlock (buffer.c:63)
==9973== by 0x4A0143C: texture_destroy (renderer.c:53)
==9973== by 0x49FAD9A: wlr_texture_destroy (wlr_texture.c:22)
==9973== by 0x4A23EBD: wlr_scene_buffer_set_buffer_with_damage (wlr_scene.c:607)
==9973== by 0x4A245C8: wlr_scene_buffer_set_buffer (wlr_scene.c:724)
==9973== by 0x11EDE5: handle_task_list_enabled (task_list.c:346)
==9973== by 0x118E0C: wl_signal_emit (wayland-server-core.h:496)
==9973== by 0x1190BE: handle_key (keyboard.c:132)
==9973== by 0x49C17FB: wl_signal_emit_mutable (wayland-server.c:2241)
==9973== Block was alloc'd at
==9973== at 0x483AB65: calloc (vg_replace_malloc.c:760)
==9973== by 0x110C4B: _logged_calloc (log_wrappers.h:24)
==9973== by 0x110CBE: wlmaker_cairo_buffer_create (cairo_buffer.c:85)
==9973== by 0x11E793: create_locked_wlr_buffer (task_list.c:170)
==9973== by 0x11ED7A: handle_task_list_enabled (task_list.c:344)
==9973== by 0x118E0C: wl_signal_emit (wayland-server-core.h:496)
==9973== by 0x1190BE: handle_key (keyboard.c:132)
==9973== by 0x49C17FB: wl_signal_emit_mutable (wayland-server.c:2241)
==9973== by 0x4A474F1: wlr_keyboard_notify_key (wlr_keyboard.c:102)
==9973== by 0x4A0BBC6: send_key_event (input_device.c:28)
==9973== by 0x4A0C05E: handle_x11_xinput_event (input_device.c:133)
==9973== by 0x4A0A203: handle_x11_event (backend.c:106)
Edited by Philipp Käser