From 720c1154dc8bc79dd7d99fb5ef86982963645d25 Mon Sep 17 00:00:00 2001 From: emersion Date: Sat, 30 Dec 2017 09:26:48 +0100 Subject: Fix use-after-free when destroying an offer --- types/wlr_data_device.c | 3 ++- types/wlr_primary_selection.c | 5 +---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/types/wlr_data_device.c b/types/wlr_data_device.c index 804718f9..fc2060e0 100644 --- a/types/wlr_data_device.c +++ b/types/wlr_data_device.c @@ -173,6 +173,8 @@ static void data_offer_resource_destroy(struct wl_resource *resource) { goto out; } + offer->source->offer = NULL; + // If the drag destination has version < 3, wl_data_offer.finish // won't be called, so do this here as a safety net, because // we still want the version >= 3 drag source to be happy. @@ -183,7 +185,6 @@ static void data_offer_resource_destroy(struct wl_resource *resource) { offer->source->cancel(offer->source); } - offer->source->offer = NULL; out: free(offer); } diff --git a/types/wlr_primary_selection.c b/types/wlr_primary_selection.c index c29856f2..491145f4 100644 --- a/types/wlr_primary_selection.c +++ b/types/wlr_primary_selection.c @@ -44,11 +44,8 @@ static void offer_resource_handle_destroy(struct wl_resource *resource) { goto out; } - if (offer->source->cancel) { - offer->source->cancel(offer->source); - } - offer->source->offer = NULL; + out: free(offer); } -- cgit v1.2.3