From 8c7287f5ba67d2a3116c7ec1c9c012b8f34a4423 Mon Sep 17 00:00:00 2001 From: Emmanuel Gil Peyrot Date: Wed, 15 Jul 2015 22:19:04 +0200 Subject: [PATCH] Partially revert "xwayland: Always free reply from xcb_get_property_reply()" This reverts commit d3553c721c0fed07f85b70fea418ca65ed974fbb. weston_wm_write_property() takes the ownership of the reply it gets as a parameter, and will eventually free it later in writable_callback. This change introduced a double-free when Xwayland programs triggered a copy to the clipboard, leading to a Weston crash. Reviewed-By: Derek Foreman Reviewed-by: Bryce Harrington --- xwayland/selection.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xwayland/selection.c b/xwayland/selection.c index 452cd69d..25ec8482 100644 --- a/xwayland/selection.c +++ b/xwayland/selection.c @@ -117,13 +117,14 @@ weston_wm_get_incr_chunk(struct weston_wm *wm) dump_property(wm, wm->atom.wl_selection, reply); if (xcb_get_property_value_length(reply) > 0) { + /* reply's ownership is transfered to wm, which is responsible + * for freeing it */ weston_wm_write_property(wm, reply); } else { weston_log("transfer complete\n"); close(wm->data_source_fd); + free(reply); } - - free(reply); } struct x11_data_source { @@ -247,12 +248,13 @@ weston_wm_get_selection_data(struct weston_wm *wm) return; } else if (reply->type == wm->atom.incr) { wm->incr = 1; + free(reply); } else { wm->incr = 0; + /* reply's ownership is transfered to wm, which is responsible + * for freeing it */ weston_wm_write_property(wm, reply); } - - free(reply); } static void