wayland: Destroy frame callback when destroying surface

If a frame callback is not destroyed when destroying a surface, its
handler function will be invoked if the surface was destroyed after the
callback was requested but before it was invoked, causing a write on
free:ed memory.

This can happen if eglDestroySurface() is called shortly after
eglSwapBuffers().

Note: This is a candidate for stable branches.

Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>

diff --git a/src/egl/drivers/dri2/platform_wayland.c b/src/egl/drivers/dri2/platform_wayland.c
index 9153ef929398b6435a32b8bcfae39bac42280f87..772116a19252d5f210634f342f87f212814fc35d 100644 (file)
--- a/src/egl/drivers/dri2/platform_wayland.c
+++ b/src/egl/drivers/dri2/platform_wayland.c
@@ -213,6 +213,9 @@ dri2_destroy_surface(_EGLDriver *drv, _EGLDisplay *disp, _EGLSurface *surf)
                                     dri2_surf->third_buffer);
    }
 
+   if (dri2_surf->frame_callback)
+      wl_callback_destroy(dri2_surf->frame_callback);
+
    free(surf);
 
    return EGL_TRUE;

diff --git a/src/gallium/state_trackers/egl/wayland/native_wayland.c b/src/gallium/state_trackers/egl/wayland/native_wayland.c
index 62c87f3b94369f3fa5c8e694284303e8d69b97af..560e40d4cee81a0df75ecd4eae2f2b08317815da 100644 (file)
--- a/src/gallium/state_trackers/egl/wayland/native_wayland.c
+++ b/src/gallium/state_trackers/egl/wayland/native_wayland.c
@@ -355,6 +355,9 @@ wayland_surface_destroy(struct native_surface *nsurf)
          wl_buffer_destroy(surface->buffer[buffer]);
    }
 
+   if (surface->frame_callback)
+      wl_callback_destroy(surface->frame_callback);
+
    resource_surface_destroy(surface->rsurf);
    FREE(surface);
 }