Commit 23c55ec3 authored by Michel Dänzer's avatar Michel Dänzer Committed by Lyude Paul

xwayland: Hold a pixmap reference in struct xwl_present_event

In the log of the commit below, I claimed this wasn't necessary on the
1.20 branch, but this turned out to be wrong: It meant that
event->buffer could already be destroyed in xwl_present_free_event,
resulting in use-after-free and likely a crash.

Fixes: 22c0808a "xwayland: Free all remaining events in
                     xwl_present_cleanup"
parent 1179938c
Pipeline #180646 passed with stages
in 3 minutes and 45 seconds
......@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event)
if (!event)
return;
if (event->buffer)
wl_buffer_set_user_data(event->buffer, NULL);
if (event->pixmap) {
if (!event->buffer_released) {
struct wl_buffer *buffer =
xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL);
wl_buffer_set_user_data(buffer, NULL);
}
dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id);
}
xorg_list_del(&event->list);
free(event);
......@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
return BadAlloc;
event->event_id = event_id;
event->buffer = NULL;
event->pixmap = NULL;
event->xwl_present_window = xwl_present_window;
event->target_msc = msc;
......@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window,
if (!event)
return FALSE;
pixmap->refcnt++;
buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created);
event->event_id = event_id;
event->xwl_present_window = xwl_present_window;
event->buffer = buffer;
event->pixmap = pixmap;
event->target_msc = target_msc;
event->pending = TRUE;
event->abort = FALSE;
......
......@@ -215,7 +215,7 @@ struct xwl_present_event {
Bool buffer_released;
struct xwl_present_window *xwl_present_window;
struct wl_buffer *buffer;
PixmapPtr pixmap;
struct xorg_list list;
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment