From 9ef5cc03f1e452d2328fb126eb7a25d4f01be1dd Mon Sep 17 00:00:00 2001
From: Andri Yngvason <andri@yngvason.is>
Date: Mon, 28 Dec 2020 21:36:12 +0000
Subject: input/seat: Reset command handler context in seat_destroy()

This fixes a dangling reference which causes a use-after-free.
---
 sway/input/seat.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sway/input/seat.c b/sway/input/seat.c
index dbb69ba0..1f5865ee 100644
--- a/sway/input/seat.c
+++ b/sway/input/seat.c
@@ -15,6 +15,7 @@
 #include "config.h"
 #include "list.h"
 #include "log.h"
+#include "sway/config.h"
 #include "sway/desktop.h"
 #include "sway/input/cursor.h"
 #include "sway/input/input-manager.h"
@@ -53,6 +54,9 @@ static void seat_node_destroy(struct sway_seat_node *seat_node) {
 }
 
 void seat_destroy(struct sway_seat *seat) {
+	if (seat == config->handler_context.seat) {
+		config->handler_context.seat = input_manager_get_default_seat();
+	}
 	struct sway_seat_device *seat_device, *next;
 	wl_list_for_each_safe(seat_device, next, &seat->devices, link) {
 		seat_device_destroy(seat_device);
-- 
cgit v1.2.3-54-g00ecf