1
0
Fork 0

src/seat-impl: Keep device variable alive for longer

In meta_seat_impl_remove_virtual_input_device(), the 'device'
variable is first removed from MetaSeatImpl, then a "device
removed" event is generated with it.

The problem here is that, if this is the last reference of
'device', the removal from MetaSeatImpl will destroy it. Then
the freed variable will be used to create the "device removed"
event, which is a use-after-free situation.

Fix that by owning an extra ref to 'device' as long as the
function is executing. Do this by declaring a g_autoptr
variable with the extra ref. This g_autoptr variable is cleaned
up by the end of the function, which achieves the desired effect.

Spotted by Coverity.

CID: #1594046
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3835>
This commit is contained in:
Georges Basile Stavracas Neto 2024-06-21 22:02:28 -03:00 committed by Marge Bot
parent cb4b31f858
commit de2aac7a3d

View file

@ -3920,8 +3920,13 @@ void
meta_seat_impl_remove_virtual_input_device (MetaSeatImpl *seat_impl, meta_seat_impl_remove_virtual_input_device (MetaSeatImpl *seat_impl,
ClutterInputDevice *device) ClutterInputDevice *device)
{ {
g_autoptr (ClutterInputDevice) owned_device = NULL;
ClutterEvent *device_event; ClutterEvent *device_event;
g_assert (CLUTTER_IS_INPUT_DEVICE (device));
owned_device = g_object_ref (device);
meta_seat_impl_remove_device (seat_impl, device); meta_seat_impl_remove_device (seat_impl, device);
device_event = clutter_event_device_notify_new (CLUTTER_DEVICE_REMOVED, device_event = clutter_event_device_notify_new (CLUTTER_DEVICE_REMOVED,