input: fix use-after-free issue at pointer_cancel
If the constraint is an one-shot constraint, constraint is freed in disable_pointer_constraint function. Therefore, we should not try to read freed memory at "switch (constraint->lifetime)" statement. The removed code is anyway superfluous. Because surface destroy signal is only removed, when constraint is an one-shot constraint. (Found by clang source code analyzer) Signed-off-by: Emre Ucan <eucan@de.adit-jv.com> Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
This commit is contained in:
Emre Ucan
committed by
Pekka Paalanen
Pekka Paalanen
parent
16ac6a0f9d
commit
3796b59e74
@@ -4577,18 +4577,6 @@ confined_pointer_grab_pointer_cancel(struct weston_pointer_grab *grab)
|
|||||||
container_of(grab, struct weston_pointer_constraint, grab);
|
container_of(grab, struct weston_pointer_constraint, grab);
|
||||||
|
|
||||||
disable_pointer_constraint(constraint);
|
disable_pointer_constraint(constraint);
|
||||||
|
|
||||||
/* If this is a persistent constraint, re-add the surface destroy signal
|
|
||||||
* listener only if we are currently not destroying the surface. */
|
|
||||||
switch (constraint->lifetime) {
|
|
||||||
case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_PERSISTENT:
|
|
||||||
if (constraint->surface->resource)
|
|
||||||
wl_signal_add(&constraint->surface->destroy_signal,
|
|
||||||
&constraint->surface_destroy_listener);
|
|
||||||
break;
|
|
||||||
case ZWP_POINTER_CONSTRAINTS_V1_LIFETIME_ONESHOT:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct weston_pointer_grab_interface
|
static const struct weston_pointer_grab_interface
|
||||||
|
|||||||
Reference in New Issue
Block a user