aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominique Martinet <asmadeus@codewreck.org>2018-06-25 10:15:00 +0900
committerDominique Martinet <asmadeus@codewreck.org>2018-06-25 17:28:44 +0900
commit954969698ac87b05f30bf3eb3b7ae387b15c4145 (patch)
tree2b766a92646df5c3ecd31eead3c6ff136dde1bbf
parent253a88f03065763f2f9238d0389da382e3e09090 (diff)
wlr_primary_selection: fix use-after-free when cancelling source
seat->primary_election_source_destroy points to the source that just got freed by the cancel. ==7843==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0004269b0 at pc 0x7fb95bf4ccd0 bp 0x7ffd75013940 s p 0x7ffd75013930 WRITE of size 8 at 0x60b0004269b0 thread T0 #0 0x7fb95bf4cccf in wl_list_remove ../util/signal.c:55 #1 0x7fb95bf3f4c6 in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:238 #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7fb95c1bc601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7fb95b69718a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x60b0004269b0 is located 64 bytes inside of 112-byte region [0x60b000426970,0x60b0004269e0) freed by thread T0 here: #0 0x7fb95e0ad880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7fb95bf3f49e in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:236 #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 previously allocated by thread T0 here: #0 0x7fb95e0ade50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7fb95bec7ad6 in xwm_selection_get_targets ../xwayland/selection/incoming.c:355 #2 0x7fb95bec7ad6 in xwm_handle_selection_notify ../xwayland/selection/incoming.c:402 #3 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #4 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #5 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 SUMMARY: AddressSanitizer: heap-use-after-free ../util/signal.c:55 in wl_list_remove Shadow bytes around the buggy address: 0x0c168007cce0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd 0x0c168007ccf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c168007cd00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c168007cd10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c168007cd20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd =>0x0c168007cd30: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa 0x0c168007cd40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c168007cd50: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c168007cd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c168007cd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c168007cd80: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
-rw-r--r--types/wlr_primary_selection.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/types/wlr_primary_selection.c b/types/wlr_primary_selection.c
index b8f3094b..15452071 100644
--- a/types/wlr_primary_selection.c
+++ b/types/wlr_primary_selection.c
@@ -229,9 +229,9 @@ void wlr_seat_set_primary_selection(struct wlr_seat *seat,
}
if (seat->primary_selection_source) {
+ wl_list_remove(&seat->primary_selection_source_destroy.link);
seat->primary_selection_source->cancel(seat->primary_selection_source);
seat->primary_selection_source = NULL;
- wl_list_remove(&seat->primary_selection_source_destroy.link);
}
seat->primary_selection_source = source;