diff options
author | Simon Ser <contact@emersion.fr> | 2022-09-16 09:53:39 +0200 |
---|---|---|
committer | Simon Ser <contact@emersion.fr> | 2023-02-27 21:00:10 +0000 |
commit | ab526f8d7c80433effd01c1994d50c618c0b7207 (patch) | |
tree | 3aa458d83d9da88b449342d6bb4fe261d28c47b6 | |
parent | 6cdeae1becef114c064b7021c5dd59d36630975c (diff) | |
download | wayland-ab526f8d7c80433effd01c1994d50c618c0b7207.tar.gz |
shm: fix segfault when accessing destroyed pool resource
With wl_shm_buffer_ref_pool(), it's possible for a wl_shm_pool
to outlive its wl_resource. We need to be careful not to access
wl_shm_pool.resource if it's been destroyed.
Reset resource to NULL in the resource destroy handler, and add
NULL checks.
Signed-off-by: Simon Ser <contact@emersion.fr>
-rw-r--r-- | src/wayland-shm.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/wayland-shm.c b/src/wayland-shm.c index c4cd390..8fb657a 100644 --- a/src/wayland-shm.c +++ b/src/wayland-shm.c @@ -109,7 +109,7 @@ shm_pool_grow_mapping(struct wl_shm_pool *pool) data = wl_os_mremap_maymove(pool->mmap_fd, pool->data, &pool->size, pool->new_size, pool->mmap_prot, pool->mmap_flags); - if (pool->size != 0) { + if (pool->size != 0 && pool->resource != NULL) { wl_resource_post_error(pool->resource, WL_SHM_ERROR_INVALID_FD, "leaked old mapping"); @@ -128,9 +128,10 @@ shm_pool_finish_resize(struct wl_shm_pool *pool) data = shm_pool_grow_mapping(pool); if (data == MAP_FAILED) { - wl_resource_post_error(pool->resource, - WL_SHM_ERROR_INVALID_FD, - "failed mremap"); + if (pool->resource != NULL) + wl_resource_post_error(pool->resource, + WL_SHM_ERROR_INVALID_FD, + "failed mremap"); return; } @@ -260,6 +261,7 @@ destroy_pool(struct wl_resource *resource) { struct wl_shm_pool *pool = wl_resource_get_user_data(resource); + pool->resource = NULL; shm_pool_unref(pool, false); } |