mirrors/labwc
1
0
Fork 0
mirror of https://github.com/labwc/labwc.git synced 2025-11-01 22:58:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
labwc/include/common/scaled-img-buffer.h
tokyo4j 70fb713874 img: fix UAF on Reconfigure by refcounting 
Before this commit, there was a use-after-free bug on Reconfigure:
- theme_finish() destroys lab_imgs for titlebar icons
- For some reason, undecorate() calls _create_buffer() in
  scaled-img-buffer.c, which calls img_render() on a destroyed lab_img.

So in this commit, the lifetime of lab_img is expanded to when the
scaled_img_buffers referencing it are all destroyed. This is achieved by
calling lab_img_copy() when setting a lab_img to scaled_img_buffer and
calling lab_img_destroy() when clearing a lab_img.

Now that scaled_img_buffer.img are always different, lab_img_equal() is
added to compare the content of scaled_img_buffer.img.
2025-01-04 09:10:02 +01:00

40 lines
1.3 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef LABWC_SCALED_IMG_BUFFER_H
#define LABWC_SCALED_IMG_BUFFER_H
#include <stdbool.h>
struct wlr_scene_tree;
struct wlr_scene_node;
struct wlr_scene_buffer;
struct lab_img;
struct scaled_img_buffer {
struct scaled_scene_buffer *scaled_buffer;
struct wlr_scene_buffer *scene_buffer;
struct lab_img *img;
int width;
int height;
int padding;
};
/*
* Create an auto scaling image buffer, providing a wlr_scene_buffer node for
* display. It gets destroyed automatically when the backing scaled_scene_buffer
* is being destroyed which in turn happens automatically when the backing
* wlr_scene_buffer (or one of its parents) is being destroyed.
*
* This function clones the lab_img passed as the image source, so callers are
* free to destroy it.
*/
struct scaled_img_buffer *scaled_img_buffer_create(struct wlr_scene_tree *parent,
struct lab_img *img, int width, int height, int padding);
/* Update image, width, height and padding of the scaled_img_buffer */
void scaled_img_buffer_update(struct scaled_img_buffer *self,
struct lab_img *img, int width, int height, int padding);
/* Obtain scaled_img_buffer from wlr_scene_node */
struct scaled_img_buffer *scaled_img_buffer_from_node(struct wlr_scene_node *node);
#endif /* LABWC_SCALED_IMG_BUFFER_H */
Reference in a new issue View git blame Copy permalink