From e11bc058ac7b70921600e113d3621d224f663e17 Mon Sep 17 00:00:00 2001 From: Andri Yngvason Date: Mon, 28 Dec 2020 02:53:43 +0000 Subject: [PATCH] input/seat: Clean up focus_stack in seat_destroy() This fixes use-after-free when seat_destroy() has been called. --- sway/input/seat.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/sway/input/seat.c b/sway/input/seat.c index de1a1881..dbb69ba0 100644 --- a/sway/input/seat.c +++ b/sway/input/seat.c @@ -46,11 +46,22 @@ static void seat_device_destroy(struct sway_seat_device *seat_device) { free(seat_device); } +static void seat_node_destroy(struct sway_seat_node *seat_node) { + wl_list_remove(&seat_node->destroy.link); + wl_list_remove(&seat_node->link); + free(seat_node); +} + void seat_destroy(struct sway_seat *seat) { struct sway_seat_device *seat_device, *next; wl_list_for_each_safe(seat_device, next, &seat->devices, link) { seat_device_destroy(seat_device); } + struct sway_seat_node *seat_node, *next_seat_node; + wl_list_for_each_safe(seat_node, next_seat_node, &seat->focus_stack, + link) { + seat_node_destroy(seat_node); + } sway_input_method_relay_finish(&seat->im_relay); sway_cursor_destroy(seat->cursor); wl_list_remove(&seat->new_node.link); @@ -68,12 +79,6 @@ void seat_destroy(struct sway_seat *seat) { free(seat); } -static void seat_node_destroy(struct sway_seat_node *seat_node) { - wl_list_remove(&seat_node->destroy.link); - wl_list_remove(&seat_node->link); - free(seat_node); -} - void seat_idle_notify_activity(struct sway_seat *seat, enum sway_input_idle_source source) { uint32_t mask = seat->idle_inhibit_sources;