Commit 5e8b9a3a authored by Michel Dänzer's avatar Michel Dänzer Committed by Adam Jackson

xwayland: Use xwl_present_reset_timer in xwl_present_timer_callback

Apart from simplifying the code, this should also prevent a condition
(which might only be possible with the following fix) reported in
wayland/weston#115 (comment 52467):

1. xwl_present_timer_callback indirectly calls xwl_present_reset_timer
   -> xwl_present_free_timer
2. xwl_present_timer_callback then returns a non-0 value, so DoTimer
   calls TimerSet with the old xwl_present_window->frame_timer pointer
   which was freed in step 1 => use after free

Calling xwl_present_reset_timer explicitly passes NULL to TimerSet if
step 1 freed xwl_present_window->frame_timer, and it will allocate a new
one.
parent 036794be
......@@ -216,24 +216,15 @@ xwl_present_timer_callback(OsTimerPtr timer,
void *arg)
{
struct xwl_present_window *xwl_present_window = arg;
WindowPtr present_window = xwl_present_window->window;
struct xwl_window *xwl_window = xwl_window_from_window(present_window);
xwl_present_window->frame_timer_firing = TRUE;
xwl_present_window->msc++;
xwl_present_window->ust = GetTimeInMicros();
xwl_present_events_notify(xwl_present_window);
xwl_present_reset_timer(xwl_present_window);
if (xwl_present_has_events(xwl_present_window)) {
/* Still events, restart timer */
return xwl_present_is_flipping(present_window, xwl_window) ? TIMER_LEN_FLIP :
TIMER_LEN_COPY;
} else {
/* No more events, do not restart timer and delete it instead */
xwl_present_free_timer(xwl_present_window);
return 0;
}
return 0;
}
static void
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment