From d70f85d6b9e5bc8d0e9890eda55d05a2510f0037 Mon Sep 17 00:00:00 2001 From: Carlos Garnacho Date: Tue, 8 Oct 2019 17:46:38 +0200 Subject: [PATCH 1/2] gdk: Fix wl_output accounting on tablet devices The code managing this accounting mixed seat and tablet output lists, can't bode well. Fixes invalid reads on list elements, as there are dangling pointers. Closes: https://gitlab.gnome.org/GNOME/gtk/issues/2157 --- gdk/wayland/gdkdevice-wayland.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gdk/wayland/gdkdevice-wayland.c b/gdk/wayland/gdkdevice-wayland.c index a64f33c871..fa292d25a7 100644 --- a/gdk/wayland/gdkdevice-wayland.c +++ b/gdk/wayland/gdkdevice-wayland.c @@ -4616,7 +4616,7 @@ pointer_surface_enter (void *data, if (tablet) { tablet->pointer_info.pointer_surface_outputs = - g_slist_append (seat->pointer_info.pointer_surface_outputs, output); + g_slist_append (tablet->pointer_info.pointer_surface_outputs, output); } else { @@ -4645,7 +4645,7 @@ pointer_surface_leave (void *data, if (tablet) { tablet->pointer_info.pointer_surface_outputs = - g_slist_remove (seat->pointer_info.pointer_surface_outputs, output); + g_slist_remove (tablet->pointer_info.pointer_surface_outputs, output); } else { From bcd384711aab713d9928eb08fa0d1281b66bd659 Mon Sep 17 00:00:00 2001 From: Carlos Garnacho Date: Tue, 8 Oct 2019 17:50:48 +0200 Subject: [PATCH 2/2] gdk: Avoid poking possibly freed memory The event may end up freed after delivery, ensure to keep the data we need in order to emit the matching emulated crossed event matching a proximity event. Closes: https://gitlab.gnome.org/GNOME/gtk/issues/2157 --- gdk/wayland/gdkdevice-wayland.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/gdk/wayland/gdkdevice-wayland.c b/gdk/wayland/gdkdevice-wayland.c index fa292d25a7..4773f63ffa 100644 --- a/gdk/wayland/gdkdevice-wayland.c +++ b/gdk/wayland/gdkdevice-wayland.c @@ -3468,6 +3468,8 @@ static void gdk_wayland_tablet_flush_frame_event (GdkWaylandTabletData *tablet, guint32 time) { + GdkEventType event_type; + GdkWindow *window; GdkEvent *event; event = tablet->pointer_info.frame.event; @@ -3476,7 +3478,10 @@ gdk_wayland_tablet_flush_frame_event (GdkWaylandTabletData *tablet, if (!event) return; - switch (event->type) + event_type = event->type; + window = g_object_ref (gdk_event_get_window (event)); + + switch (event_type) { case GDK_MOTION_NOTIFY: event->motion.time = time; @@ -3504,18 +3509,20 @@ gdk_wayland_tablet_flush_frame_event (GdkWaylandTabletData *tablet, return; } - if (event->type == GDK_PROXIMITY_OUT) - emulate_crossing (event->proximity.window, NULL, tablet->master, + if (event_type == GDK_PROXIMITY_OUT) + emulate_crossing (window, NULL, tablet->master, tablet->current_device, GDK_LEAVE_NOTIFY, GDK_CROSSING_NORMAL, time); _gdk_wayland_display_deliver_event (gdk_seat_get_display (tablet->seat), event); - if (event->type == GDK_PROXIMITY_IN) - emulate_crossing (event->proximity.window, NULL, tablet->master, + if (event_type == GDK_PROXIMITY_IN) + emulate_crossing (window, NULL, tablet->master, tablet->current_device, GDK_ENTER_NOTIFY, GDK_CROSSING_NORMAL, time); + + g_object_unref (window); } static GdkEvent *