xwayland: Remove pending stream reference when freeing

The EGLStream backend keeps a queue of pending streams for each Xwayland window. However, when this pending queue is freed, the corresponding private data may not be cleared (typically if the pixmap for this window has changed before the compositor finished attaching the consumer for the window's pixmap's original eglstream), leading to a use-after-free and a crash when trying to use that data as the window pixmap. Make sure to clear the private data when the pending stream is freed. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1055 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Tested-by: Karol Szuster <karolsz9898@gmail.com> Reviewed-by: Adam Jackson <ajax@redhat.com>
2020-09-14 15:39:10 +02:00 · 2020-09-14 15:39:10 +02:00 · a5f439dcd2
parent 0b86c0c362
commit a5f439dcd2
1 changed files with 1 additions and 1 deletions
--- a/hw/xwayland/xwayland-glamor-eglstream.c
+++ b/hw/xwayland/xwayland-glamor-eglstream.c
@ -437,8 +437,8 @@ xwl_eglstream_consumer_ready_callback(void *data,
    DebugF("eglstream: win %d completes eglstream for pixmap %p, congrats!\n",
           pending->window->drawable.id, pending->pixmap);

-    xwl_eglstream_window_set_pending(pending->window, NULL);
 out:
+    xwl_eglstream_window_set_pending(pending->window, NULL);
    xorg_list_del(&pending->link);
    free(pending);
 }