From b63e3e02018c1aba8e34e1fd6fdf8960b72dba4e Mon Sep 17 00:00:00 2001
From: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Date: Wed, 15 Feb 2012 17:02:53 +0200
Subject: [PATCH] compositor: fix two crashs on surface_attach() with null
 buffer

The condition to return from surface_attach with a null buffer involves
es->output being non-null. However if a surface was just created this
field would be null and an attach of a null buffer would cause the
compositor to crash.

The other crash happened if surface_attach was called twice with a
null buffer after a valid buffer was attached to the surface. Since
es->buffer was not being set to NULL, surface_attach() would call
wl_list_remove(&es->buffer_destroy_listener.link) twice for the same
surface.

Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
---
 src/compositor.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/compositor.c b/src/compositor.c
index ab90ded8..237509f9 100644
--- a/src/compositor.c
+++ b/src/compositor.c
@@ -1151,6 +1151,9 @@ surface_attach(struct wl_client *client,
 	struct weston_shell *shell = es->compositor->shell;
 	struct wl_buffer *buffer;
 
+	if (!buffer_resource && !es->output)
+		return;
+
 	weston_surface_damage_below(es);
 
 	if (es->buffer) {
@@ -1162,6 +1165,7 @@ surface_attach(struct wl_client *client,
 		wl_list_remove(&es->link);
 		es->visual = WESTON_NONE_VISUAL;
 		es->output = NULL;
+		es->buffer = NULL;
 		return;
 	}