From 74c0e7921ae13986eb7d79bfa263f7ddb9312440 Mon Sep 17 00:00:00 2001 From: "A. M. Joseph" Date: Wed, 16 Oct 2019 23:55:40 -0700 Subject: [PATCH] xwayland.c handle_map(): NULL out xsurface->data() to prevent crashing. When changing a surface from managed to unmanaged in handle_map(), the call to handle_destroy(.., view) causes the sway_xwayland_view pointed to by the untyped wlr_xwayland_surface.data field to become invalid garbage, yet the untyped wlr_xwayland_surface.data continues to point at it. In particular: view_get_*(view_from_wlr_surface(..)), even with appropriate NULL checking, will crash sway when this codepath is exercised (reliable test case: drop-down menus in Google Earth). --- sway/desktop/xwayland.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sway/desktop/xwayland.c b/sway/desktop/xwayland.c index 0f7082012..28d7c058f 100644 --- a/sway/desktop/xwayland.c +++ b/sway/desktop/xwayland.c @@ -401,6 +401,7 @@ static void handle_map(struct wl_listener *listener, void *data) { // This window used not to have the override redirect flag and has it // now. Switch to unmanaged. handle_destroy(&xwayland_view->destroy, view); + xsurface->data = NULL; struct sway_xwayland_unmanaged *unmanaged = create_unmanaged(xsurface); unmanaged_handle_map(&unmanaged->map, xsurface); return;