From 3d28e03a29b77d5bd76cf270f89af58056628c81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Wed, 18 Jan 2023 16:03:40 +0100
Subject: [PATCH] wayland: Take surface reference for presentation-time
 feedback

Without this, the feedback->surface pointer could outlive the surface
it pointed to, which could result in use-after-free.

One consequence of this is that if a MetaWaylandPresentationFeedback
object ever lingers on longer than expected, it would keep the
MetaWaylandSurface alive as well.

Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/2585
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2886>
---
 src/wayland/meta-wayland-presentation-time.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/wayland/meta-wayland-presentation-time.c b/src/wayland/meta-wayland-presentation-time.c
index a6aaed21e..5adab977e 100644
--- a/src/wayland/meta-wayland-presentation-time.c
+++ b/src/wayland/meta-wayland-presentation-time.c
@@ -42,6 +42,7 @@ wp_presentation_feedback_destructor (struct wl_resource *resource)
     wl_resource_get_user_data (resource);
 
   wl_list_remove (&feedback->link);
+  g_clear_object (&feedback->surface);
   g_free (feedback);
 }
 
@@ -83,7 +84,7 @@ wp_presentation_feedback (struct wl_client   *client,
   pending = meta_wayland_surface_get_pending_state (surface);
   wl_list_insert (&pending->presentation_feedback_list, &feedback->link);
 
-  feedback->surface = surface;
+  feedback->surface = g_object_ref (surface);
 }
 
 static const struct wp_presentation_interface