wlroots/include/backend/wayland.h
Dominique Martinet d5e14ab247 wayland backend: fix use-after free on output destroy
==12021==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000015698 at pc 0x7f1a9abe1c09 bp 0x7ffe9068f6b0 sp 0x7ffe9068f6a0
WRITE of size 4 at 0x617000015698 thread T0
    #0 0x7f1a9abe1c08 in pointer_handle_leave ../backend/wayland/wl_seat.c:40
    #1 0x7f1a96ae7d1d in ffi_call_unix64 (/lib64/libffi.so.6+0x5d1d)
    #2 0x7f1a96ae768e in ffi_call (/lib64/libffi.so.6+0x568e)
    #3 0x7f1a988e0d8a  (/lib64/libwayland-client.so.0+0x8d8a)
    #4 0x7f1a988dd927  (/lib64/libwayland-client.so.0+0x5927)
    #5 0x7f1a988debe3 in wl_display_dispatch_queue_pending (/lib64/libwayland-client.so.0+0x6be3)
    #6 0x7f1a9abdd6d6 in dispatch_events ../backend/wayland/backend.c:28
    #7 0x7f1a9a968c11 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0x9c11)
    #8 0x7f1a9a967449 in wl_display_run (/lib64/libwayland-server.so.0+0x8449)
    #9 0x418dff in main ../rootston/main.c:81
    #10 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #11 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9)

0x617000015698 is located 664 bytes inside of 696-byte region [0x617000015400,0x6170000156b8)
freed by thread T0 here:
    #0 0x7f1a9af754b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
    #1 0x7f1a9abe01ee in wlr_wl_output_destroy ../backend/wayland/output.c:194
    #2 0x7f1a9ac12918 in wlr_output_destroy ../types/wlr_output.c:299
    #3 0x7f1a9abe061b in xdg_toplevel_handle_close ../backend/wayland/output.c:255
    #4 0x7f1a96ae7d1d in ffi_call_unix64 (/lib64/libffi.so.6+0x5d1d)
    #5 0x7f1a96ae768e in ffi_call (/lib64/libffi.so.6+0x568e)
    #6 0x7f1a988e0d8a  (/lib64/libwayland-client.so.0+0x8d8a)
    #7 0x7f1a988dd927  (/lib64/libwayland-client.so.0+0x5927)
    #8 0x7f1a988debe3 in wl_display_dispatch_queue_pending (/lib64/libwayland-client.so.0+0x6be3)
    #9 0x7f1a9abdd6d6 in dispatch_events ../backend/wayland/backend.c:28
    #10 0x7f1a9a968c11 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0x9c11)
    #11 0x7f1a9a967449 in wl_display_run (/lib64/libwayland-server.so.0+0x8449)
    #12 0x418dff in main ../rootston/main.c:81
    #13 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #14 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9)

previously allocated by thread T0 here:
    #0 0x7f1a9af75a38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38)
    #1 0x7f1a9abe0703 in wlr_wl_output_create ../backend/wayland/output.c:272
    #2 0x7f1a9abdd8eb in wlr_wl_backend_start ../backend/wayland/backend.c:55
    #3 0x7f1a9abbeb49 in wlr_backend_start ../backend/backend.c:28
    #4 0x7f1a9abd8ce1 in multi_backend_start ../backend/multi/backend.c:24
    #5 0x7f1a9abbeb49 in wlr_backend_start ../backend/backend.c:28
    #6 0x418c32 in main ../rootston/main.c:58
    #7 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #8 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9)
2018-03-22 21:27:49 +01:00

87 lines
2.1 KiB
C

#ifndef BACKEND_WAYLAND_H
#define BACKEND_WAYLAND_H
#include <stdbool.h>
#include <wayland-client.h>
#include <wayland-egl.h>
#include <wayland-server.h>
#include <wayland-util.h>
#include <wlr/backend/wayland.h>
#include <wlr/render/egl.h>
#include <wlr/render/wlr_renderer.h>
#include <wlr/types/wlr_box.h>
struct wlr_wl_backend {
struct wlr_backend backend;
/* local state */
bool started;
struct wl_display *local_display;
struct wl_list devices;
struct wl_list outputs;
struct wlr_egl egl;
struct wlr_renderer *renderer;
size_t requested_outputs;
struct wl_listener local_display_destroy;
/* remote state */
struct wl_display *remote_display;
struct wl_event_source *remote_display_src;
struct wl_registry *registry;
struct wl_compositor *compositor;
struct zxdg_shell_v6 *shell;
struct wl_shm *shm;
struct wl_seat *seat;
struct wl_pointer *pointer;
char *seat_name;
};
struct wlr_wl_backend_output {
struct wlr_output wlr_output;
struct wlr_wl_backend *backend;
struct wl_surface *surface;
struct zxdg_surface_v6 *xdg_surface;
struct zxdg_toplevel_v6 *xdg_toplevel;
struct wl_egl_window *egl_window;
struct wl_callback *frame_callback;
struct {
struct wl_shm_pool *pool;
void *buffer; // actually a (client-side) struct wl_buffer*
uint32_t buf_size;
uint8_t *data;
struct wl_surface *surface;
int32_t hotspot_x, hotspot_y;
} cursor;
uint32_t enter_serial;
void *egl_surface;
struct wl_list link;
};
struct wlr_wl_input_device {
struct wlr_input_device wlr_input_device;
struct wlr_wl_backend *backend;
void *resource;
};
struct wlr_wl_pointer {
struct wlr_pointer wlr_pointer;
enum wlr_axis_source axis_source;
struct wlr_wl_backend_output *current_output;
struct wl_listener output_destroy_listener;
};
void wlr_wl_registry_poll(struct wlr_wl_backend *backend);
void wlr_wl_output_update_cursor(struct wlr_wl_backend_output *output);
struct wlr_wl_backend_output *wlr_wl_output_for_surface(
struct wlr_wl_backend *backend, struct wl_surface *surface);
void wlr_wl_output_layout_get_box(struct wlr_wl_backend *backend,
struct wlr_box *box);
extern const struct wl_seat_listener seat_listener;
#endif