From 99ef3d5b2eec26178837a0419605d83cd0cbe44b Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Fri, 6 Dec 2019 15:06:14 +0100 Subject: [PATCH] Unset plane->layer and layer->plane on destroy This fixes a use-after-free when destroying a layer/plane early. --- layer.c | 3 +++ plane.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/layer.c b/layer.c index 0ea465e..97b2e16 100644 --- a/layer.c +++ b/layer.c @@ -20,6 +20,9 @@ struct liftoff_layer *liftoff_layer_create(struct liftoff_output *output) void liftoff_layer_destroy(struct liftoff_layer *layer) { layer->output->layers_changed = true; + if (layer->plane != NULL) { + layer->plane->layer = NULL; + } if (layer->output->composition_layer == layer) { layer->output->composition_layer = NULL; } diff --git a/plane.c b/plane.c index e23b6c9..8762971 100644 --- a/plane.c +++ b/plane.c @@ -130,6 +130,9 @@ struct liftoff_plane *plane_create(struct liftoff_device *device, uint32_t id) void plane_destroy(struct liftoff_plane *plane) { + if (plane->layer != NULL) { + plane->layer->plane = NULL; + } liftoff_list_remove(&plane->link); free(plane->props); free(plane);