From 8b6dc483557a2b088893ce9b2c2b9c053df8a99e Mon Sep 17 00:00:00 2001 From: Tony Crisci Date: Mon, 24 Jul 2017 19:50:13 -0400 Subject: [PATCH] bugfix: add null check on output gbm on pageflip The gbm for the output might be null for the pageflip in the case that the output has been disconnected. The gbm might be set to null by wlr_drm_output_cleanup() in this case. If the output is cleaned up before the pageflip, then a double free will crash the compositor on the call to gbm_surface_release_buffer() in the pageflip handler. The outputs buffer object bo[1] will point to invalid memory. --- backend/drm/drm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/drm/drm.c b/backend/drm/drm.c index 618274a64..bba3a3908 100644 --- a/backend/drm/drm.c +++ b/backend/drm/drm.c @@ -631,7 +631,7 @@ static void page_flip_handler(int fd, unsigned seq, struct wlr_backend_state *state = wl_container_of(output->renderer, state, renderer); - if (output->bo[1]) { + if (output->gbm && output->bo[1]) { gbm_surface_release_buffer(output->gbm, output->bo[1]); output->bo[1] = NULL; }