Commit Graph

3596 Commits

Author SHA1 Message Date
Drew DeVault b0f7072737
Merge pull request #1111 from martinetd/wlr-seat-destroy
wlr_seat destroy: fix use-after-free when destroying clients
2018-07-04 06:41:10 -07:00
Dominique Martinet 48e8da851d wlr_seat destroy: fix use-after-free when destroying clients
wl_resource_for_each_safe isn't safe to use here because it accesses
the list's head memory one last time at the end of the loop. Work
around this by breaking out early.

==19880==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000e6368 at pc 0x7fab68619de2 bp 0x7ffd5c91cee0 sp 0x7ffd5c91ced0
READ of size 8 at 0x60d0000e6368 thread T0
    #0 0x7fab68619de1 in wlr_seat_destroy ../types/seat/wlr_seat.c:179
    #1 0x7fab68619fb9 in handle_display_destroy ../types/seat/wlr_seat.c:196
    #2 0x7fab688e4f8f in wl_priv_signal_emit src/wayland-server.c:2024
    #3 0x7fab688e56ca in wl_display_destroy src/wayland-server.c:1092
    #4 0x40c11e in server_fini ../sway/server.c:138
    #5 0x40b1a8 in main ../sway/main.c:438
    #6 0x7fab67b5e18a in __libc_start_main ../csu/libc-start.c:308
    #7 0x409359 in _start (/opt/wayland/bin/sway+0x409359)

0x60d0000e6368 is located 24 bytes inside of 144-byte region [0x60d0000e6350,0x60d0000e63e0)
freed by thread T0 here:
    #0 0x7fab6a7d6880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fab68619805 in seat_client_handle_resource_destroy ../types/seat/wlr_seat.c:97
    #2 0x7fab688e5025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fab6a7d6e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fab686198df in seat_handle_bind ../types/seat/wlr_seat.c:127
    #2 0x7fab6530503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)
2018-07-04 14:50:14 +09:00
Drew DeVault 12dd9544f9
Merge pull request #1110 from apreiml/fix-focus-stack-change
fix: add stack update on focus change
2018-07-03 06:21:00 -07:00
Armin Preiml 26b2012b5e fix style issue 2018-07-03 15:11:02 +02:00
Armin Preiml e6d613ca2e fix: add stack update on focus change
Enable the stack update again for focus changes on non-focusable views.
2018-07-03 15:03:00 +02:00
emersion 742c66d93f
Merge pull request #1107 from ammen99/master
properly check if the point is inside the surface in wlr_surface_pointer_accepts_input
2018-07-03 11:43:57 +01:00
Ilia Bozhinov 00ccf5c3ae properly check if the point is inside the surface in wlr_surface_point_accepts_input 2018-07-03 10:29:02 +03:00
Drew DeVault 27cab67b96
Merge pull request #1105 from RyanDwyer/xdg-surface-for-each-popup
Introduce wlr_xdg_surface_for_each_popup
2018-07-01 06:39:06 -07:00
Ryan Dwyer 86f401e827 Introduce wlr_xdg_surface_for_each_popup
It is common to want to iterate an xdg-surface's popups separately from
the toplevel and subsurfaces. For example, popups are typically rendered
on top of most other surfaces.

wlr_xdg_surface_for_each_surface continues to iterate both surfaces and
popups to maintain backwards compatibility.
2018-07-01 23:24:39 +10:00
emersion 55dba13c6e
Merge pull request #1106 from martinetd/seat-destroy-uaf
wlr_seat destroy: fix use-after-free after primary selection source cancel
2018-07-01 13:23:50 +01:00
Dominique Martinet 9ddc2f39d0 wlr_seat destroy: fix use-after-free after primary selection source cancel
the primary_selection_source_destroy list points to memory freed by
that cancel callback, so remove from list before freeing
2018-07-01 21:04:43 +09:00
Drew DeVault 07209d062c
Merge pull request #1104 from VincentVanlaer/logind-fd-leak
Close fd's obtained from logind
2018-06-30 17:49:45 -07:00
Vincent Vanlaer ece58514b4 Close fd's obtained from logind 2018-07-01 02:22:57 +02:00
Drew DeVault 015ebc5750
Merge pull request #1069 from emersion/screencopy
Add wlr-screencopy-unstable-v1 support
2018-06-30 15:27:45 -07:00
emersion cc9b198f9e
render/gles2: ditch extra parens 2018-06-30 23:19:02 +01:00
emersion a7a96d7644
examples/screencopy: use libpng 2018-06-30 23:18:13 +01:00
emersion dbb01cbcd0
screencopy: listen to buffer destroy 2018-06-30 22:18:04 +01:00
emersion 9aaa9ba477
screencopy: make frame resource inert after copy 2018-06-30 22:18:04 +01:00
emersion c421700f3d
screncopy: update protocol 2018-06-30 22:18:04 +01:00
emersion bf7560b7cd
screencopy: add capture_output_region support 2018-06-30 22:18:04 +01:00
emersion 2b9cbaddf3
screencopy: add support for frame flags 2018-06-30 22:18:03 +01:00
emersion bd8be19b79
screencopy: add presentation timestamp 2018-06-30 22:18:03 +01:00
emersion 73755ad348
screencopy-v1: add basic implementation 2018-06-30 22:17:59 +01:00
Drew DeVault 02dfa9101e
Merge pull request #1102 from martinetd/wlr-subsurface-from-wlr-surface
s/wlr_subsurface_from_surface/wlr_subsurface_from_wlr_surface/
2018-06-30 06:29:35 -07:00
Dominique Martinet c263f7ca29 s/wlr_subsurface_from_surface/wlr_subsurface_from_wlr_surface/
This was the only x_from_wlr_surface function that lacked the wlr_ prefix,
let's have an API as uniform as possible.
2018-06-30 21:21:13 +09:00
emersion 167105e606
Merge pull request #1101 from martinetd/static-analysis
Static analysis fixes
2018-06-30 12:57:48 +01:00
Dominique Martinet 0c2a64df18 headless add_input_device: fix leak on error
Found through static analysis
2018-06-30 20:46:58 +09:00
Dominique Martinet 1fef1f88b2 export dmabuf manager_handle_capture_output: fix leak on error
Found through static analysis
2018-06-30 11:47:25 +09:00
Dominique Martinet e5348ad7d3 backend autocreate: fix leak when WLR_BACKENDS is set
Found through static analysis
2018-06-30 11:45:57 +09:00
Dominique Martinet 1940c6bbd9 wayland backend: fix width/height == 0 check
We cannot handle just one of the two being NULL later down the road
(e.g. divide by zero in matrix projection code),
just ignore any such configure request.

Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet 4cc4412481 wlr_renderer_destroy: fix renderer NULL check
renderer is checked for NULL, but was dereferenced before that.

Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet b3313b7f39 wlr_output: fix scope for 'now'
'when' points to now that was defined in the if, so compiler could reuse
that memory area by the time 'when' is called

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet 399de4d11b util/create_tmpfile: set restrictive umask for these files
Even if the file is removed right away, a race with someone using inotify
is definitely possible, so play safe and restrict umask for our tmpfiles

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet efef54ccf5 wlr_keyboard: fix mmap leak + logic on close for keymap_fd
mmap leak found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet 266898ca1f direct session backend: fix closing -1 on error
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet 1e17f4deb6 rootston: fix leak in handle_layer_shell_surface
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet bcc2c64c1e x11 backend init: fix leak on failed XOpenDisplay
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet 4f7b1382d4 wayland backend seat: fix NULL output check
The test was done after dereferencing output in pointer_handle_enter,
just move it up one line.
No reason pointer_handle_leave would not need the check if enter needs
it, add it there.

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet f0d455f088 drm backend: overflow fixes
These operations are done in 32-bit arithmetics before being casted to 64-bit,
thus can overflow before the cast.
Casting early fixes the issue.

Found through static analysis
2018-06-30 11:21:22 +09:00
emersion 63eb720871
Merge pull request #1100 from apreiml/fix-awt-focus-failure
do not send focus request to a window that doesn't allow it
2018-06-29 19:34:20 +01:00
Armin Preiml f93234d6f5 fix: tabs instead of spaces 2018-06-29 19:25:20 +02:00
Armin Preiml d0b3aed584 do not send focus request to a window that doesn't allow this 2018-06-29 17:58:47 +02:00
Drew DeVault f3a5d5dbd7
Merge pull request #1097 from emersion/contributing-inert-destroy-order
contributing: move wl_resource_set_user_data() right before free()
2018-06-28 06:40:18 -07:00
emersion ec7d4a0971
Merge pull request #1092 from martinetd/idle_inhibit
Idle inhibit cleanup
2018-06-28 14:33:07 +01:00
emersion 64665200fa
contributing: move wl_resource_set_user_data() right before free() 2018-06-28 14:28:42 +01:00
Dominique Martinet 93a75769f0 wlr_idle_inhibit_v1: cleanup destroy handlers
- Rename handlers to <type>_handle_resource_destroy and
<type>_handle_destroy to be coherent
 - Make sure we never destroy wl_resources when we shouldn't

Updates #999
2018-06-28 22:04:28 +09:00
emersion f01896c9d5
Merge pull request #1093 from martinetd/xdg_popup
xdg_shell popup: fix potential segv in handle_destroy
2018-06-28 13:30:28 +01:00
Dominique Martinet 0ced9df350 wlr_idle_inhibit_v1: add *data pointer to wlr structs 2018-06-28 20:29:44 +09:00
Dominique Martinet a3e2a77734 xdg_popup: fix call to to handle_grab for inert popup 2018-06-28 20:28:15 +09:00
Dominique Martinet 970687a01c xdg_shell popup: fix potential segv in handle_destroy
surface could be NULL there if the popup had been made
inert before
2018-06-28 13:54:35 +09:00