diff options
| author | Emre Ucan <eucan@de.adit-jv.com> | 2018-03-20 15:28:24 +0100 |
|---|---|---|
| committer | Pekka Paalanen <pekka.paalanen@collabora.co.uk> | 2018-03-28 13:09:50 +0300 |
| commit | 3796b59e746f314cf533c1f8e41932bb40455e81 (patch) | |
| tree | b35ab8a38c372b3d4b3fe82bce77d2f7ae298c4a | |
| parent | 16ac6a0f9d084279758c55a87f5d8e3435a9e69b (diff) | |
| download | weston-3796b59e746f314cf533c1f8e41932bb40455e81.tar.gz | |
input: fix use-after-free issue at pointer_cancel
If the constraint is an one-shot constraint, constraint
is freed in disable_pointer_constraint function.
Therefore, we should not try to read freed memory at
"switch (constraint->lifetime)" statement.
The removed code is anyway superfluous. Because
surface destroy signal is only removed, when constraint
is an one-shot constraint.
(Found by clang source code analyzer)
Signed-off-by: Emre Ucan <eucan@de.adit-jv.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
| -rw-r--r-- | libweston/input.c | 12 |
1 files changed, 0 insertions, 12 deletions
diff --git a/libweston/input.c b/libweston/input.c index 3e91c266..a9d21cb5 100644 --- a/libweston/input.c +++ b/libweston/input.c @@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab) container_of(grab, struct weston_pointer_constraint, grab); disable_pointer_constraint(constraint); - - /* If this is a persistent constraint, re-add the surface destroy signal - * listener only if we are currently not destroying the surface. */ - switch (constraint->lifetime) { - case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT: - if (constraint->surface->resource) - wl_signal_add(&constraint->surface->destroy_signal, - &constraint->surface_destroy_listener); - break; - case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT: - break; - } } static const struct weston_pointer_grab_interface |