From fcb7ad925dafe2d4f1966dede1ce41ad7430c1f1 Mon Sep 17 00:00:00 2001 From: emersion Date: Thu, 26 Apr 2018 15:58:41 +0100 Subject: [PATCH 1/3] layer-shell: fix use-after-free when client requests an invalid layer --- types/wlr_layer_shell.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/wlr_layer_shell.c b/types/wlr_layer_shell.c index 1fd0977b..86b67d7e 100644 --- a/types/wlr_layer_shell.c +++ b/types/wlr_layer_shell.c @@ -338,7 +338,7 @@ static void layer_shell_handle_get_layer_surface(struct wl_client *wl_client, surface->layer = layer; if (layer > ZWLR_LAYER_SHELL_V1_LAYER_OVERLAY) { free(surface); - wl_resource_post_error(surface->resource, + wl_resource_post_error(client_resource, ZWLR_LAYER_SHELL_V1_ERROR_INVALID_LAYER, "Invalid layer %d", layer); return; From 874909dca6f58e91b2db4827c9bbc7f356292123 Mon Sep 17 00:00:00 2001 From: emersion Date: Thu, 26 Apr 2018 15:59:23 +0100 Subject: [PATCH 2/3] xdg-shell: fix invalid wlr_xdg_positioner alloc --- types/wlr_xdg_shell.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/wlr_xdg_shell.c b/types/wlr_xdg_shell.c index fce2a1bb..5fd3d33e 100644 --- a/types/wlr_xdg_shell.c +++ b/types/wlr_xdg_shell.c @@ -399,7 +399,7 @@ static const struct xdg_positioner_interface static void xdg_shell_handle_create_positioner(struct wl_client *wl_client, struct wl_resource *resource, uint32_t id) { struct wlr_xdg_positioner *positioner = - calloc(1, sizeof(struct wlr_xdg_positioner_resource)); + calloc(1, sizeof(struct wlr_xdg_positioner)); if (positioner == NULL) { wl_client_post_no_memory(wl_client); return; From c119c43b4838fc63273ac40ba7f29b412a62c2a4 Mon Sep 17 00:00:00 2001 From: emersion Date: Thu, 26 Apr 2018 15:59:58 +0100 Subject: [PATCH 3/3] xwayland/selection: fix little memory leak on error --- xwayland/selection/incoming.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xwayland/selection/incoming.c b/xwayland/selection/incoming.c index 1b596254..5deb2286 100644 --- a/xwayland/selection/incoming.c +++ b/xwayland/selection/incoming.c @@ -309,6 +309,7 @@ static bool source_get_targets(struct wlr_xwm_selection *selection, char **mime_type_ptr = wl_array_add(mime_types, sizeof(*mime_type_ptr)); if (mime_type_ptr == NULL) { + free(mime_type); break; } *mime_type_ptr = mime_type;