src/seat-impl: Keep device variable alive for longer
In meta_seat_impl_remove_virtual_input_device(), the 'device' variable is first removed from MetaSeatImpl, then a "device removed" event is generated with it. The problem here is that, if this is the last reference of 'device', the removal from MetaSeatImpl will destroy it. Then the freed variable will be used to create the "device removed" event, which is a use-after-free situation. Fix that by owning an extra ref to 'device' as long as the function is executing. Do this by declaring a g_autoptr variable with the extra ref. This g_autoptr variable is cleaned up by the end of the function, which achieves the desired effect. Spotted by Coverity. CID: #1594046 Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3835>
This commit is contained in:
parent
cb4b31f858
commit
de2aac7a3d
1 changed files with 5 additions and 0 deletions
|
@ -3920,8 +3920,13 @@ void
|
||||||
meta_seat_impl_remove_virtual_input_device (MetaSeatImpl *seat_impl,
|
meta_seat_impl_remove_virtual_input_device (MetaSeatImpl *seat_impl,
|
||||||
ClutterInputDevice *device)
|
ClutterInputDevice *device)
|
||||||
{
|
{
|
||||||
|
g_autoptr (ClutterInputDevice) owned_device = NULL;
|
||||||
ClutterEvent *device_event;
|
ClutterEvent *device_event;
|
||||||
|
|
||||||
|
g_assert (CLUTTER_IS_INPUT_DEVICE (device));
|
||||||
|
|
||||||
|
owned_device = g_object_ref (device);
|
||||||
|
|
||||||
meta_seat_impl_remove_device (seat_impl, device);
|
meta_seat_impl_remove_device (seat_impl, device);
|
||||||
|
|
||||||
device_event = clutter_event_device_notify_new (CLUTTER_DEVICE_REMOVED,
|
device_event = clutter_event_device_notify_new (CLUTTER_DEVICE_REMOVED,
|
||||||
|
|
Loading…
Reference in a new issue