diff options
author | Tudor Brindus <me@tbrindus.ca> | 2020-05-26 10:05:33 -0400 |
---|---|---|
committer | Simon Ser <contact@emersion.fr> | 2020-05-26 16:24:52 +0200 |
commit | d71fed95da5af5a489d2ea68b87a306ddc4d238d (patch) | |
tree | 12f9433510ad1827fe86d77a672b748238057766 | |
parent | input/cursor: fix heap-buffer overflow in constraint set_region (diff) | |
download | sway-d71fed95da5af5a489d2ea68b87a306ddc4d238d.tar.gz sway-d71fed95da5af5a489d2ea68b87a306ddc4d238d.tar.zst sway-d71fed95da5af5a489d2ea68b87a306ddc4d238d.zip |
input/cursor: keep reference to cursor in constraint
set_region accepts a NULL *data, so we can't use it to reference the
constraint and find the cursor through its seat.
Fixes #5386.
-rw-r--r-- | include/sway/input/seat.h | 1 | ||||
-rw-r--r-- | sway/input/cursor.c | 8 |
2 files changed, 4 insertions, 5 deletions
diff --git a/include/sway/input/seat.h b/include/sway/input/seat.h index e313a206..37de1223 100644 --- a/include/sway/input/seat.h +++ b/include/sway/input/seat.h | |||
@@ -111,6 +111,7 @@ struct sway_seat { | |||
111 | }; | 111 | }; |
112 | 112 | ||
113 | struct sway_pointer_constraint { | 113 | struct sway_pointer_constraint { |
114 | struct sway_cursor *cursor; | ||
114 | struct wlr_pointer_constraint_v1 *constraint; | 115 | struct wlr_pointer_constraint_v1 *constraint; |
115 | 116 | ||
116 | struct wl_listener set_region; | 117 | struct wl_listener set_region; |
diff --git a/sway/input/cursor.c b/sway/input/cursor.c index 7b094d85..b336fcbc 100644 --- a/sway/input/cursor.c +++ b/sway/input/cursor.c | |||
@@ -833,9 +833,7 @@ static void handle_pointer_constraint_set_region(struct wl_listener *listener, | |||
833 | void *data) { | 833 | void *data) { |
834 | struct sway_pointer_constraint *sway_constraint = | 834 | struct sway_pointer_constraint *sway_constraint = |
835 | wl_container_of(listener, sway_constraint, set_region); | 835 | wl_container_of(listener, sway_constraint, set_region); |
836 | struct wlr_pointer_constraint_v1 *constraint = data; | 836 | struct sway_cursor *cursor = sway_constraint->cursor; |
837 | struct sway_seat *seat = constraint->seat->data; | ||
838 | struct sway_cursor *cursor = seat->cursor; | ||
839 | 837 | ||
840 | cursor->active_confine_requires_warp = true; | 838 | cursor->active_confine_requires_warp = true; |
841 | } | 839 | } |
@@ -1248,8 +1246,7 @@ void handle_constraint_destroy(struct wl_listener *listener, void *data) { | |||
1248 | struct sway_pointer_constraint *sway_constraint = | 1246 | struct sway_pointer_constraint *sway_constraint = |
1249 | wl_container_of(listener, sway_constraint, destroy); | 1247 | wl_container_of(listener, sway_constraint, destroy); |
1250 | struct wlr_pointer_constraint_v1 *constraint = data; | 1248 | struct wlr_pointer_constraint_v1 *constraint = data; |
1251 | struct sway_seat *seat = constraint->seat->data; | 1249 | struct sway_cursor *cursor = sway_constraint->cursor; |
1252 | struct sway_cursor *cursor = seat->cursor; | ||
1253 | 1250 | ||
1254 | wl_list_remove(&sway_constraint->set_region.link); | 1251 | wl_list_remove(&sway_constraint->set_region.link); |
1255 | wl_list_remove(&sway_constraint->destroy.link); | 1252 | wl_list_remove(&sway_constraint->destroy.link); |
@@ -1273,6 +1270,7 @@ void handle_pointer_constraint(struct wl_listener *listener, void *data) { | |||
1273 | 1270 | ||
1274 | struct sway_pointer_constraint *sway_constraint = | 1271 | struct sway_pointer_constraint *sway_constraint = |
1275 | calloc(1, sizeof(struct sway_pointer_constraint)); | 1272 | calloc(1, sizeof(struct sway_pointer_constraint)); |
1273 | sway_constraint->cursor = seat->cursor; | ||
1276 | sway_constraint->constraint = constraint; | 1274 | sway_constraint->constraint = constraint; |
1277 | 1275 | ||
1278 | sway_constraint->set_region.notify = handle_pointer_constraint_set_region; | 1276 | sway_constraint->set_region.notify = handle_pointer_constraint_set_region; |