From: Rob Bradford <[email protected]> The RDP compositor dynamically creates and destroys seats for the different connecting clients. Althrough the memory for the seat was being freed and it was also being removed from the list of seats in the compositor the client was not being informed of that the seat was no longer a valid global. Because the client still thought this global was valid when it tried to bind it the compositor would attempt to access freed memory.
https://bugs.freedesktop.org/show_bug.cgi?id=65913 --- src/compositor.h | 1 + src/input.c | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/compositor.h b/src/compositor.h index 8070409..0c5623f 100644 --- a/src/compositor.h +++ b/src/compositor.h @@ -469,6 +469,7 @@ struct weston_seat { struct input_method *input_method; char *seat_name; + struct wl_global *global; }; enum { diff --git a/src/input.c b/src/input.c index 644487a..ed114de 100644 --- a/src/input.c +++ b/src/input.c @@ -1531,8 +1531,8 @@ weston_seat_init(struct weston_seat *seat, struct weston_compositor *ec, wl_list_init(&seat->drag_resource_list); wl_signal_init(&seat->destroy_signal); - wl_display_add_global(ec->wl_display, &wl_seat_interface, seat, - bind_seat); + seat->global = wl_display_add_global(ec->wl_display, &wl_seat_interface, + seat, bind_seat); seat->compositor = ec; seat->modifier_state = 0; @@ -1550,7 +1550,8 @@ WL_EXPORT void weston_seat_release(struct weston_seat *seat) { wl_list_remove(&seat->link); - /* The global object is destroyed at wl_display_destroy() time. */ + + wl_display_remove_global(seat->compositor->wl_display, seat->global); #ifdef ENABLE_XKBCOMMON if (seat->compositor->use_xkbcommon) { -- 1.8.3.1 _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
