mirrors/wayland
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/wayland.git synced 2025-10-29 05:40:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

shm: fix segfault when accessing destroyed pool resource

Browse source 
With wl_shm_buffer_ref_pool(), it's possible for a wl_shm_pool
to outlive its wl_resource. We need to be careful not to access
wl_shm_pool.resource if it's been destroyed.

Reset resource to NULL in the resource destroy handler, and add
NULL checks.

Signed-off-by: Simon Ser <contact@emersion.fr>
This commit is contained in:
Simon Ser 2022-09-16 09:53:39 +02:00
parent 6cdeae1bec
commit ab526f8d7c
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/wayland-shm.c
View file

@ -109,7 +109,7 @@ shm_pool_grow_mapping(struct wl_shm_pool *pool)
data = wl_os_mremap_maymove(pool->mmap_fd, pool->data, &pool->size,
pool->new_size, pool->mmap_prot,
pool->mmap_flags);
if (pool->size != 0) {
if (pool->size != 0 && pool->resource != NULL) {
wl_resource_post_error(pool->resource,
WL_SHM_ERROR_INVALID_FD,
"leaked old mapping");
@ -128,9 +128,10 @@ shm_pool_finish_resize(struct wl_shm_pool *pool)
data = shm_pool_grow_mapping(pool);
if (data == MAP_FAILED) {
wl_resource_post_error(pool->resource,
WL_SHM_ERROR_INVALID_FD,
"failed mremap");
if (pool->resource != NULL)
wl_resource_post_error(pool->resource,
WL_SHM_ERROR_INVALID_FD,
"failed mremap");
return;
}
@ -260,6 +261,7 @@ destroy_pool(struct wl_resource *resource)
{
struct wl_shm_pool *pool = wl_resource_get_user_data(resource);
pool->resource = NULL;
shm_pool_unref(pool, false);
}