wlr_seat: clear `drag->seat_client` when destroyed

This was previously a use-after-free in `wlr_drag.c`.

2 files changed, 7 insertions, 3 deletions

diff --git a/types/data_device/wlr_drag.c b/types/data_device/wlr_drag.c
index d3cb979d..c1fa801b 100644
--- a/types/data_device/wlr_drag.c
+++ b/types/data_device/wlr_drag.c
@@ -55,14 +55,14 @@ static void drag_set_focus(struct wlr_drag *drag,
 		goto out;
 	}
 
-	if (!drag->source &&
+	if (!drag->source && drag->seat_client &&
 			wl_resource_get_client(surface->resource) !=
 			drag->seat_client->client) {
 		goto out;
 	}
 
 	struct wlr_seat_client *focus_client = wlr_seat_client_for_wl_client(
-		drag->seat_client->seat, wl_resource_get_client(surface->resource));
+		drag->seat, wl_resource_get_client(surface->resource));
 	if (!focus_client) {
 		goto out;
 	}
@@ -71,7 +71,7 @@ static void drag_set_focus(struct wlr_drag *drag,
 		drag->source->accepted = false;
 
 		uint32_t serial =
-			wl_display_next_serial(drag->seat_client->seat->display);
+			wl_display_next_serial(drag->seat->display);
 
 		struct wl_resource *device_resource;
 		wl_resource_for_each(device_resource, &focus_client->data_devices) {
diff --git a/types/seat/wlr_seat.c b/types/seat/wlr_seat.c
index 59b760ca..f83ccd6d 100644
--- a/types/seat/wlr_seat.c
+++ b/types/seat/wlr_seat.c
@@ -75,6 +75,10 @@ static void seat_client_handle_resource_destroy(
 		client->seat->keyboard_state.focused_client = NULL;
 	}
 
+	if (client->seat->drag && client == client->seat->drag->seat_client) {
+		client->seat->drag->seat_client = NULL;
+	}
+
 	struct wl_resource *resource, *tmp;
 	wl_resource_for_each_safe(resource, tmp, &client->pointers) {
 		wl_resource_destroy(resource);