xwayland.c handle_map(): NULL out xsurface->data() to prevent crashing. - sway

commit 74c0e7921ae13986eb7d79bfa263f7ddb9312440
parent d19f4f7bf866660d2199cb726bc3708eb42f98dd
Author: A. M. Joseph <adam@westerntelegraphic.net>
Date:   Wed, 16 Oct 2019 23:55:40 -0700

xwayland.c handle_map(): NULL out xsurface->data() to prevent crashing.

When changing a surface from managed to unmanaged in handle_map(), the
call to handle_destroy(.., view) causes the sway_xwayland_view pointed
to by the untyped wlr_xwayland_surface.data field to become invalid
garbage, yet the untyped wlr_xwayland_surface.data continues to point
at it.  In particular: view_get_*(view_from_wlr_surface(..)), even
with appropriate NULL checking, will crash sway when this codepath is
exercised (reliable test case: drop-down menus in Google Earth).

Diffstat:
M sway/desktop/xwayland.c  | 1 +

1 file changed, 1 insertion(+), 0 deletions(-)
diff --git a/sway/desktop/xwayland.c b/sway/desktop/xwayland.c
@@ -401,6 +401,7 @@ static void handle_map(struct wl_listener *listener, void *data) {
 		// This window used not to have the override redirect flag and has it
 		// now. Switch to unmanaged.
 		handle_destroy(&xwayland_view->destroy, view);
+		xsurface->data = NULL;
 		struct sway_xwayland_unmanaged *unmanaged = create_unmanaged(xsurface);
 		unmanaged_handle_map(&unmanaged->map, xsurface);
 		return;

	sway i3-compatible Wayland compositor
	git clone https://git.awy.one/sway
	Log \| Files \| Refs \| README \| LICENSE