From d195ca76806bae53cf5ac6d5dda95b49f069373c Mon Sep 17 00:00:00 2001
From: outfoxxed <outfoxxed@outfoxxed.me>
Date: Wed, 15 Jan 2025 03:24:19 -0800
Subject: [PATCH] wayland/screencopy: fix UAF in dmabuf modifier collection

The QList optimization the code was for no longer exists.
---
 src/wayland/buffer/dmabuf.cpp | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/src/wayland/buffer/dmabuf.cpp b/src/wayland/buffer/dmabuf.cpp
index c6c7724f..09abc15f 100644
--- a/src/wayland/buffer/dmabuf.cpp
+++ b/src/wayland/buffer/dmabuf.cpp
@@ -167,7 +167,6 @@ void LinuxDmabufFeedback::zwp_linux_dmabuf_feedback_v1_tranche_formats(wl_array*
 	auto indexTableLength = indices->size / sizeof(uint16_t);
 
 	uint32_t lastFormat = 0;
-	LinuxDmabufModifiers* lastModifiers = nullptr;
 	LinuxDmabufModifiers* modifiers = nullptr;
 
 	for (uint16_t ti = 0; ti != indexTableLength; ++ti) {
@@ -176,14 +175,7 @@ void LinuxDmabufFeedback::zwp_linux_dmabuf_feedback_v1_tranche_formats(wl_array*
 
 		// Compositors usually send a single format's modifiers as a block.
 		if (!modifiers || entry.format != lastFormat) {
-			// We can often share modifier lists between formats
-			if (lastModifiers && modifiers->modifiers == lastModifiers->modifiers) {
-				// avoids storing a second list
-				modifiers->modifiers = lastModifiers->modifiers;
-			}
-
 			lastFormat = entry.format;
-			lastModifiers = modifiers;
 
 			auto modifiersIter = std::ranges::find_if(tranche.formats.formats, [&](const auto& pair) {
 				return pair.first == entry.format;
@@ -203,10 +195,6 @@ void LinuxDmabufFeedback::zwp_linux_dmabuf_feedback_v1_tranche_formats(wl_array*
 			modifiers->modifiers.push(entry.modifier);
 		}
 	}
-
-	if (lastModifiers && modifiers && modifiers->modifiers == lastModifiers->modifiers) {
-		modifiers->modifiers = lastModifiers->modifiers;
-	}
 }
 
 void LinuxDmabufFeedback::zwp_linux_dmabuf_feedback_v1_tranche_done() {