input: fix use-after-free issue at pointer_cancel

If the constraint is an one-shot constraint, constraint is freed in disable_pointer_constraint function. Therefore, we should not try to read freed memory at "switch (constraint->lifetime)" statement. The removed code is anyway superfluous. Because surface destroy signal is only removed, when constraint is an one-shot constraint. (Found by clang source code analyzer) Signed-off-by: Emre Ucan <eucan@de.adit-jv.com> Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
7 years ago · 3796b59e74
parent 16ac6a0f9d
commit 3796b59e74
1 changed files with 0 additions and 12 deletions
--- a/libweston/input.c
+++ b/libweston/input.c
@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
 		container_of(grab, struct weston_pointer_constraint, grab);

 	disable_pointer_constraint(constraint);
-
-	/* If this is a persistent constraint, re-add the surface destroy signal
-	 * listener only if we are currently not destroying the surface. */
-	switch (constraint->lifetime) {
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
-		if (constraint->surface->resource)
-			wl_signal_add(&constraint->surface->destroy_signal,
-				      &constraint->surface_destroy_listener);
-		break;
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
-		break;
-	}
 }

 static const struct weston_pointer_grab_interface