From 8b12037cadb2422a10d948babc4fd77ce637f158 Mon Sep 17 00:00:00 2001 From: bi4k8 Date: Tue, 15 Nov 2022 01:00:27 +0000 Subject: [PATCH] wlr_seat: clear `drag->seat_client` when destroyed This was previously a use-after-free in `wlr_drag.c`. --- types/data_device/wlr_drag.c | 6 +++--- types/seat/wlr_seat.c | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/types/data_device/wlr_drag.c b/types/data_device/wlr_drag.c index d3cb979d0..c1fa801ba 100644 --- a/types/data_device/wlr_drag.c +++ b/types/data_device/wlr_drag.c @@ -55,14 +55,14 @@ static void drag_set_focus(struct wlr_drag *drag, goto out; } - if (!drag->source && + if (!drag->source && drag->seat_client && wl_resource_get_client(surface->resource) != drag->seat_client->client) { goto out; } struct wlr_seat_client *focus_client = wlr_seat_client_for_wl_client( - drag->seat_client->seat, wl_resource_get_client(surface->resource)); + drag->seat, wl_resource_get_client(surface->resource)); if (!focus_client) { goto out; } @@ -71,7 +71,7 @@ static void drag_set_focus(struct wlr_drag *drag, drag->source->accepted = false; uint32_t serial = - wl_display_next_serial(drag->seat_client->seat->display); + wl_display_next_serial(drag->seat->display); struct wl_resource *device_resource; wl_resource_for_each(device_resource, &focus_client->data_devices) { diff --git a/types/seat/wlr_seat.c b/types/seat/wlr_seat.c index 59b760ca5..f83ccd6df 100644 --- a/types/seat/wlr_seat.c +++ b/types/seat/wlr_seat.c @@ -75,6 +75,10 @@ static void seat_client_handle_resource_destroy( client->seat->keyboard_state.focused_client = NULL; } + if (client->seat->drag && client == client->seat->drag->seat_client) { + client->seat->drag->seat_client = NULL; + } + struct wl_resource *resource, *tmp; wl_resource_for_each_safe(resource, tmp, &client->pointers) { wl_resource_destroy(resource);