[PATCH xserver v3] xwayland: Fix use after free of cursors

Olivier Fourdan ofourdan at redhat.com
Wed Nov 30 07:51:49 UTC 2016


Hi,

> > Sometimes, Xwayland will try to use a cursor that has just been freed,
> > leading to a crash when trying to access that cursor data either in
> > miPointerUpdateSprite() or AnimCurTimerNotify().
> > 
> > CheckMotion() updates the pointer's cursor based on which xwindow
> > XYToWindow() returns, and Xwayland implements its own xwl_xy_to_window()
> > to fake a crossing to the root window when the pointer has left the
> > Wayland surface but is still within the xwindow.
> > 
> > But after an xwindow is unrealized, the last xwindow used to match the
> > xwindows is cleared so two consecutive calls to xwl_xy_to_window() may
> > not return the same xwindow.
> > 
> > To avoid this issue, update the last_xwindow based on enter and leave
> > notifications instead of xwl_xy_to_window(), and check if the xwindow
> > found by the regular miXYToWindow() is a child of the known last
> > xwindow, so that multiple consecutive calls to xwl_xy_to_window()
> > return the same xwindow, being either the one found by miXYToWindow()
> > or the root window.
> > 
> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1385258
> > Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
> 
> Tested-by: Vít Ondruch <vondruch at redhat.com>
> Tested-by: Satish Balay <balay at fastmail.fm>

I have added this patch to the Fedora 25 package for xorg-x11-server-Xwayland-1.19.0 a week or so ago and haven't spotted any new report of a similar crash in Xwayland since then, so I am quite confident this is the right fix for the issue.

Cheers,
Olivier.


More information about the xorg-devel mailing list