From 9ddc2f39d0e6b59cb4f5f8ed8b4961a40172bbc1 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sun, 1 Jul 2018 21:02:35 +0900 Subject: wlr_seat destroy: fix use-after-free after primary selection source cancel the primary_selection_source_destroy list points to memory freed by that cancel callback, so remove from list before freeing --- types/seat/wlr_seat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/seat/wlr_seat.c b/types/seat/wlr_seat.c index ead4b0e7..c9eecef6 100644 --- a/types/seat/wlr_seat.c +++ b/types/seat/wlr_seat.c @@ -168,9 +168,9 @@ void wlr_seat_destroy(struct wlr_seat *seat) { seat->selection_source = NULL; } if (seat->primary_selection_source) { + wl_list_remove(&seat->primary_selection_source_destroy.link); seat->primary_selection_source->cancel(seat->primary_selection_source); seat->primary_selection_source = NULL; - wl_list_remove(&seat->primary_selection_source_destroy.link); } struct wlr_seat_client *client, *tmp; -- cgit v1.2.3