wayland: fix UAF in layershell surface destructor

This commit is contained in:
outfoxxed 2024-05-31 00:24:58 -07:00
parent 7feae55ebe
commit 6c9526761c
Signed by: outfoxxed
GPG key ID: 4C88A185FB89301E
3 changed files with 18 additions and 2 deletions

View file

@ -7,7 +7,6 @@
#include <private/qwaylandsurface_p.h>
#include <private/qwaylandwindow_p.h>
#include <qlogging.h>
#include <qpoint.h>
#include <qrect.h>
#include <qsize.h>
#include <qtversionchecks.h>
@ -18,6 +17,10 @@
#include "shell_integration.hpp"
#include "window.hpp"
#if QT_VERSION < QT_VERSION_CHECK(6, 7, 0)
#include <qpoint.h>
#endif
// clang-format off
[[nodiscard]] QtWayland::zwlr_layer_shell_v1::layer toWaylandLayer(const WlrLayer::Enum& layer) noexcept;
[[nodiscard]] QtWayland::zwlr_layer_surface_v1::anchor toWaylandAnchors(const Anchors& anchors) noexcept;
@ -72,7 +75,10 @@ QSWaylandLayerSurface::QSWaylandLayerSurface(
}
QSWaylandLayerSurface::~QSWaylandLayerSurface() {
this->ext->surface = nullptr;
if (this->ext != nullptr) {
this->ext->surface = nullptr;
}
this->destroy();
}
@ -106,6 +112,7 @@ void QSWaylandLayerSurface::applyConfigure() {
}
void QSWaylandLayerSurface::setWindowGeometry(const QRect& geometry) {
if (this->ext == nullptr) return;
auto size = constrainedSize(this->ext->mAnchors, geometry.size());
this->set_size(size.width(), size.height());
}

View file

@ -13,6 +13,12 @@
#include "shell_integration.hpp"
#include "surface.hpp"
LayershellWindowExtension::~LayershellWindowExtension() {
if (this->surface != nullptr) {
this->surface->ext = nullptr;
}
}
LayershellWindowExtension* LayershellWindowExtension::get(QWindow* window) {
auto v = window->property("layershell_ext");

View file

@ -2,6 +2,7 @@
#include <qobject.h>
#include <qscreen.h>
#include <qtclasshelpermacros.h>
#include <qtmetamacros.h>
#include <qtypes.h>
#include <qwindow.h>
@ -56,6 +57,8 @@ class LayershellWindowExtension: public QObject {
public:
LayershellWindowExtension(QObject* parent = nullptr): QObject(parent) {}
~LayershellWindowExtension() override;
Q_DISABLE_COPY_MOVE(LayershellWindowExtension);
// returns the layershell extension if attached, otherwise nullptr
static LayershellWindowExtension* get(QWindow* window);