wayland: Take surface reference for presentation-time feedback

Without this, the feedback->surface pointer could outlive the surface
it pointed to, which could result in use-after-free.

One consequence of this is that if a MetaWaylandPresentationFeedback
object ever lingers on longer than expected, it would keep the
MetaWaylandSurface alive as well.

Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/2585
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2886>
This commit is contained in:
Michel Dänzer 2023-01-18 16:03:40 +01:00 committed by Marge Bot
parent beeeea546b
commit 3d28e03a29

View File

@ -42,6 +42,7 @@ wp_presentation_feedback_destructor (struct wl_resource *resource)
wl_resource_get_user_data (resource); wl_resource_get_user_data (resource);
wl_list_remove (&feedback->link); wl_list_remove (&feedback->link);
g_clear_object (&feedback->surface);
g_free (feedback); g_free (feedback);
} }
@ -83,7 +84,7 @@ wp_presentation_feedback (struct wl_client *client,
pending = meta_wayland_surface_get_pending_state (surface); pending = meta_wayland_surface_get_pending_state (surface);
wl_list_insert (&pending->presentation_feedback_list, &feedback->link); wl_list_insert (&pending->presentation_feedback_list, &feedback->link);
feedback->surface = surface; feedback->surface = g_object_ref (surface);
} }
static const struct wp_presentation_interface static const struct wp_presentation_interface