input/cursor: handle image surface destroy

This adds a listener for the destroy event of the cursor image surface.
This prevents a use-after-free when the last visible image surface is
freed, there has not been a new cursor set, and the cursor is reshown.
This commit is contained in:
Brian Ashworth 2020-01-05 16:50:48 -05:00 committed by Simon Ser
parent b977c02e35
commit 897c36b12c
2 changed files with 19 additions and 0 deletions

View file

@ -58,6 +58,7 @@ struct sway_cursor {
uint32_t tool_buttons; uint32_t tool_buttons;
struct wl_listener request_set_cursor; struct wl_listener request_set_cursor;
struct wl_listener image_surface_destroy;
struct wl_listener constraint_commit; struct wl_listener constraint_commit;

View file

@ -789,6 +789,15 @@ static void handle_pointer_swipe_end(struct wl_listener *listener, void *data) {
cursor->pointer_gestures, cursor->seat->wlr_seat, cursor->pointer_gestures, cursor->seat->wlr_seat,
event->time_msec, event->cancelled); event->time_msec, event->cancelled);
} }
static void handle_image_surface_destroy(struct wl_listener *listener,
void *data) {
struct sway_cursor *cursor =
wl_container_of(listener, cursor, image_surface_destroy);
cursor_set_image(cursor, NULL, cursor->image_client);
cursor_rebase(cursor);
}
void cursor_set_image(struct sway_cursor *cursor, const char *image, void cursor_set_image(struct sway_cursor *cursor, const char *image,
struct wl_client *client) { struct wl_client *client) {
if (!(cursor->seat->wlr_seat->capabilities & WL_SEAT_CAPABILITY_POINTER)) { if (!(cursor->seat->wlr_seat->capabilities & WL_SEAT_CAPABILITY_POINTER)) {
@ -797,7 +806,9 @@ void cursor_set_image(struct sway_cursor *cursor, const char *image,
const char *current_image = cursor->image; const char *current_image = cursor->image;
cursor->image = image; cursor->image = image;
wl_list_remove(&cursor->image_surface_destroy.link);
cursor->image_surface = NULL; cursor->image_surface = NULL;
wl_list_init(&cursor->image_surface_destroy.link);
cursor->hotspot_x = cursor->hotspot_y = 0; cursor->hotspot_x = cursor->hotspot_y = 0;
cursor->image_client = client; cursor->image_client = client;
@ -821,7 +832,10 @@ void cursor_set_image_surface(struct sway_cursor *cursor,
} }
cursor->image = NULL; cursor->image = NULL;
wl_list_remove(&cursor->image_surface_destroy.link);
cursor->image_surface = surface; cursor->image_surface = surface;
wl_signal_add(&cursor->image_surface->events.destroy,
&cursor->image_surface_destroy);
cursor->hotspot_x = hotspot_x; cursor->hotspot_x = hotspot_x;
cursor->hotspot_y = hotspot_y; cursor->hotspot_y = hotspot_y;
cursor->image_client = client; cursor->image_client = client;
@ -840,6 +854,7 @@ void sway_cursor_destroy(struct sway_cursor *cursor) {
wl_event_source_remove(cursor->hide_source); wl_event_source_remove(cursor->hide_source);
wl_list_remove(&cursor->image_surface_destroy.link);
wl_list_remove(&cursor->pinch_begin.link); wl_list_remove(&cursor->pinch_begin.link);
wl_list_remove(&cursor->pinch_update.link); wl_list_remove(&cursor->pinch_update.link);
wl_list_remove(&cursor->pinch_end.link); wl_list_remove(&cursor->pinch_end.link);
@ -885,6 +900,9 @@ struct sway_cursor *sway_cursor_create(struct sway_seat *seat) {
cursor->hide_source = wl_event_loop_add_timer(server.wl_event_loop, cursor->hide_source = wl_event_loop_add_timer(server.wl_event_loop,
hide_notify, cursor); hide_notify, cursor);
wl_list_init(&cursor->image_surface_destroy.link);
cursor->image_surface_destroy.notify = handle_image_surface_destroy;
cursor->pointer_gestures = wlr_pointer_gestures_v1_create(server.wl_display); cursor->pointer_gestures = wlr_pointer_gestures_v1_create(server.wl_display);
cursor->pinch_begin.notify = handle_pointer_pinch_begin; cursor->pinch_begin.notify = handle_pointer_pinch_begin;
wl_signal_add(&wlr_cursor->events.pinch_begin, &cursor->pinch_begin); wl_signal_add(&wlr_cursor->events.pinch_begin, &cursor->pinch_begin);