From 3796b59e746f314cf533c1f8e41932bb40455e81 Mon Sep 17 00:00:00 2001
From: Emre Ucan <eucan@de.adit-jv.com>
Date: Tue, 20 Mar 2018 15:28:24 +0100
Subject: [PATCH] input: fix use-after-free issue at pointer_cancel

If the constraint is an one-shot constraint, constraint
is freed in disable_pointer_constraint function.
Therefore, we should not try to read freed memory at
"switch (constraint->lifetime)" statement.

The removed code is anyway superfluous. Because
surface destroy signal is only removed, when constraint
is an one-shot constraint.

(Found by clang source code analyzer)

Signed-off-by: Emre Ucan <eucan@de.adit-jv.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
---
 libweston/input.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/libweston/input.c b/libweston/input.c
index 3e91c266..a9d21cb5 100644
--- a/libweston/input.c
+++ b/libweston/input.c
@@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
 		container_of(grab, struct weston_pointer_constraint, grab);
 
 	disable_pointer_constraint(constraint);
-
-	/* If this is a persistent constraint, re-add the surface destroy signal
-	 * listener only if we are currently not destroying the surface. */
-	switch (constraint->lifetime) {
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
-		if (constraint->surface->resource)
-			wl_signal_add(&constraint->surface->destroy_signal,
-				      &constraint->surface_destroy_listener);
-		break;
-	case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
-		break;
-	}
 }
 
 static const struct weston_pointer_grab_interface