mirrors/wayland
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/wayland.git synced 2025-10-29 05:40:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

client: Abort when trying to add an event to a destroyed queue

Browse source 
Detect when we are trying to add an event to a destroyed queue,
and abort instead of causing a use-after-free memory error.

This situation can occur when an wl_event_queue is destroyed before
its attached wl_proxy objects.

Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
This commit is contained in:
Alexandros Frantzis 2022-11-15 11:44:55 +02:00 committed by Simon Ser
parent e09010f470
commit d72f9007c3
2 changed files with 66 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/wayland-client.c
View file

@ -312,6 +312,7 @@ wl_event_queue_release(struct wl_event_queue *queue)
wl_log(" %s@%u still attached\n",
proxy->object.interface->name,
proxy->object.id);
proxy->queue = NULL;
wl_list_remove(&proxy->queue_link);
wl_list_init(&proxy->queue_link);
}
@ -541,6 +542,7 @@ proxy_destroy(struct wl_proxy *proxy)
proxy->flags |= WL_PROXY_FLAG_DESTROYED;
proxy->queue = NULL;
wl_list_remove(&proxy->queue_link);
wl_list_init(&proxy->queue_link);
@ -1564,6 +1566,9 @@ queue_event(struct wl_display *display, int len)
else
queue = proxy->queue;
if (!queue)
wl_abort("Tried to add event to destroyed queue\n");
wl_list_insert(queue->event_list.prev, &closure->link);
return size;