From 9d48a3d78d830a5bd432267e3be065d526543a5f Mon Sep 17 00:00:00 2001 From: Brian Ashworth Date: Sun, 5 Jan 2020 16:50:48 -0500 Subject: input/cursor: handle image surface destroy This adds a listener for the destroy event of the cursor image surface. This prevents a use-after-free when the last visible image surface is freed, there has not been a new cursor set, and the cursor is reshown. --- include/sway/input/cursor.h | 1 + sway/input/cursor.c | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/include/sway/input/cursor.h b/include/sway/input/cursor.h index 0bcd262f..5b6f9a9f 100644 --- a/include/sway/input/cursor.h +++ b/include/sway/input/cursor.h @@ -58,6 +58,7 @@ struct sway_cursor { uint32_t tool_buttons; struct wl_listener request_set_cursor; + struct wl_listener image_surface_destroy; struct wl_listener constraint_commit; diff --git a/sway/input/cursor.c b/sway/input/cursor.c index 680fe39e..215dc767 100644 --- a/sway/input/cursor.c +++ b/sway/input/cursor.c @@ -789,6 +789,15 @@ static void handle_pointer_swipe_end(struct wl_listener *listener, void *data) { cursor->pointer_gestures, cursor->seat->wlr_seat, event->time_msec, event->cancelled); } + +static void handle_image_surface_destroy(struct wl_listener *listener, + void *data) { + struct sway_cursor *cursor = + wl_container_of(listener, cursor, image_surface_destroy); + cursor_set_image(cursor, NULL, cursor->image_client); + cursor_rebase(cursor); +} + void cursor_set_image(struct sway_cursor *cursor, const char *image, struct wl_client *client) { if (!(cursor->seat->wlr_seat->capabilities & WL_SEAT_CAPABILITY_POINTER)) { @@ -797,7 +806,9 @@ void cursor_set_image(struct sway_cursor *cursor, const char *image, const char *current_image = cursor->image; cursor->image = image; + wl_list_remove(&cursor->image_surface_destroy.link); cursor->image_surface = NULL; + wl_list_init(&cursor->image_surface_destroy.link); cursor->hotspot_x = cursor->hotspot_y = 0; cursor->image_client = client; @@ -821,7 +832,10 @@ void cursor_set_image_surface(struct sway_cursor *cursor, } cursor->image = NULL; + wl_list_remove(&cursor->image_surface_destroy.link); cursor->image_surface = surface; + wl_signal_add(&cursor->image_surface->events.destroy, + &cursor->image_surface_destroy); cursor->hotspot_x = hotspot_x; cursor->hotspot_y = hotspot_y; cursor->image_client = client; @@ -840,6 +854,7 @@ void sway_cursor_destroy(struct sway_cursor *cursor) { wl_event_source_remove(cursor->hide_source); + wl_list_remove(&cursor->image_surface_destroy.link); wl_list_remove(&cursor->pinch_begin.link); wl_list_remove(&cursor->pinch_update.link); wl_list_remove(&cursor->pinch_end.link); @@ -885,6 +900,9 @@ struct sway_cursor *sway_cursor_create(struct sway_seat *seat) { cursor->hide_source = wl_event_loop_add_timer(server.wl_event_loop, hide_notify, cursor); + wl_list_init(&cursor->image_surface_destroy.link); + cursor->image_surface_destroy.notify = handle_image_surface_destroy; + cursor->pointer_gestures = wlr_pointer_gestures_v1_create(server.wl_display); cursor->pinch_begin.notify = handle_pointer_pinch_begin; wl_signal_add(&wlr_cursor->events.pinch_begin, &cursor->pinch_begin); -- cgit v1.2.3-54-g00ecf