libweston: fix possible crash after a view is removed the layer

weston_compositor_build_view_list can reconstruct the view_list without a view which was previously in it. The existing pointers in view->link are left unchanged, which could lead to corruption or access to released memory in wl_list_remove, depending of the order of destruction of the views. This can happen at least with the black view created by the desktop shell for fullscreen surfaces, when it is hidden in lower_fullscreen_layer. Signed-off-by: Loïc Yhuel <loic.yhuel@softathome.com>
5 years ago · 267b16e8f4
parent c57a8cccd3
commit 267b16e8f4
1 changed files with 4 additions and 1 deletions
--- a/libweston/compositor.c
+++ b/libweston/compositor.c
@ -2569,14 +2569,17 @@ view_list_add(struct weston_compositor *compositor,
 static void
 weston_compositor_build_view_list(struct weston_compositor *compositor)
 {
-	struct weston_view *view;
+	struct weston_view *view, *tmp;
 	struct weston_layer *layer;

 	wl_list_for_each(layer, &compositor->layer_list, link)
 		wl_list_for_each(view, &layer->view_list.link, layer_link.link)
 			surface_stash_subsurface_views(view->surface);

+	wl_list_for_each_safe(view, tmp, &compositor->view_list, link)
+		wl_list_init(&view->link);
 	wl_list_init(&compositor->view_list);
+
 	wl_list_for_each(layer, &compositor->layer_list, link) {
 		wl_list_for_each(view, &layer->view_list.link, layer_link.link) {
 			view_list_add(compositor, view);