img: fix UAF on Reconfigure by refcounting

Before this commit, there was a use-after-free bug on Reconfigure:
- theme_finish() destroys lab_imgs for titlebar icons
- For some reason, undecorate() calls _create_buffer() in
  scaled-img-buffer.c, which calls img_render() on a destroyed lab_img.

So this commit adds wlr_buffer-like APIs: lab_img_lock(),
lab_img_unlock() and lab_img_drop(). This ensures a lab_img is never
destroyed until no one references it.

include/img/img.h

@@ -3,6 +3,7 @@
 #define LABWC_IMG_H
 
 #include <cairo.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <wayland-util.h>
 
@@ -19,6 +20,9 @@ struct lab_img {
 	struct theme *theme; /* Used by modifier functions */
 	struct wl_array modifiers; /* lab_img_modifier_func_t */
 	struct lab_img_cache *cache;
+
+	bool dropped;
+	int nr_locks;
 };
 
 struct lab_img *lab_img_load(enum lab_img_type type, const char *path,
@@ -69,10 +73,9 @@ void lab_img_add_modifier(struct lab_img *img, lab_img_modifier_func_t modifier,
 struct lab_data_buffer *lab_img_render(struct lab_img *img,
 	int width, int height, int padding, double scale);
 
-/**
- * lab_img_destroy() - destroy lab_img
- * @img: lab_img to destroy
- */
-void lab_img_destroy(struct lab_img *img);
+/* These functions closely follow the APIs of wlr_buffer */
+void lab_img_lock(struct lab_img *img);
+void lab_img_unlock(struct lab_img *img);
+void lab_img_drop(struct lab_img *img);
 
 #endif /* LABWC_IMG_H */