From 6c9526761cd5d17b732dc00b7bbcdb7b0f5e3259 Mon Sep 17 00:00:00 2001
From: outfoxxed <outfoxxed@outfoxxed.me>
Date: Fri, 31 May 2024 00:24:58 -0700
Subject: [PATCH] wayland: fix UAF in layershell surface destructor

---
 src/wayland/wlr_layershell/surface.cpp | 11 +++++++++--
 src/wayland/wlr_layershell/window.cpp  |  6 ++++++
 src/wayland/wlr_layershell/window.hpp  |  3 +++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/wayland/wlr_layershell/surface.cpp b/src/wayland/wlr_layershell/surface.cpp
index ac80ebd0..5c369f2b 100644
--- a/src/wayland/wlr_layershell/surface.cpp
+++ b/src/wayland/wlr_layershell/surface.cpp
@@ -7,7 +7,6 @@
 #include <private/qwaylandsurface_p.h>
 #include <private/qwaylandwindow_p.h>
 #include <qlogging.h>
-#include <qpoint.h>
 #include <qrect.h>
 #include <qsize.h>
 #include <qtversionchecks.h>
@@ -18,6 +17,10 @@
 #include "shell_integration.hpp"
 #include "window.hpp"
 
+#if QT_VERSION < QT_VERSION_CHECK(6, 7, 0)
+#include <qpoint.h>
+#endif
+
 // clang-format off
 [[nodiscard]] QtWayland::zwlr_layer_shell_v1::layer toWaylandLayer(const WlrLayer::Enum& layer) noexcept;
 [[nodiscard]] QtWayland::zwlr_layer_surface_v1::anchor toWaylandAnchors(const Anchors& anchors) noexcept;
@@ -72,7 +75,10 @@ QSWaylandLayerSurface::QSWaylandLayerSurface(
 }
 
 QSWaylandLayerSurface::~QSWaylandLayerSurface() {
-	this->ext->surface = nullptr;
+	if (this->ext != nullptr) {
+		this->ext->surface = nullptr;
+	}
+
 	this->destroy();
 }
 
@@ -106,6 +112,7 @@ void QSWaylandLayerSurface::applyConfigure() {
 }
 
 void QSWaylandLayerSurface::setWindowGeometry(const QRect& geometry) {
+	if (this->ext == nullptr) return;
 	auto size = constrainedSize(this->ext->mAnchors, geometry.size());
 	this->set_size(size.width(), size.height());
 }
diff --git a/src/wayland/wlr_layershell/window.cpp b/src/wayland/wlr_layershell/window.cpp
index 035bae1d..a671d59e 100644
--- a/src/wayland/wlr_layershell/window.cpp
+++ b/src/wayland/wlr_layershell/window.cpp
@@ -13,6 +13,12 @@
 #include "shell_integration.hpp"
 #include "surface.hpp"
 
+LayershellWindowExtension::~LayershellWindowExtension() {
+	if (this->surface != nullptr) {
+		this->surface->ext = nullptr;
+	}
+}
+
 LayershellWindowExtension* LayershellWindowExtension::get(QWindow* window) {
 	auto v = window->property("layershell_ext");
 
diff --git a/src/wayland/wlr_layershell/window.hpp b/src/wayland/wlr_layershell/window.hpp
index 163f3aa7..37092a6a 100644
--- a/src/wayland/wlr_layershell/window.hpp
+++ b/src/wayland/wlr_layershell/window.hpp
@@ -2,6 +2,7 @@
 
 #include <qobject.h>
 #include <qscreen.h>
+#include <qtclasshelpermacros.h>
 #include <qtmetamacros.h>
 #include <qtypes.h>
 #include <qwindow.h>
@@ -56,6 +57,8 @@ class LayershellWindowExtension: public QObject {
 
 public:
 	LayershellWindowExtension(QObject* parent = nullptr): QObject(parent) {}
+	~LayershellWindowExtension() override;
+	Q_DISABLE_COPY_MOVE(LayershellWindowExtension);
 
 	// returns the layershell extension if attached, otherwise nullptr
 	static LayershellWindowExtension* get(QWindow* window);