wayland: Destroy frame callback when destroying surface

If a frame callback is not destroyed when destroying a surface, its handler function will be invoked if the surface was destroyed after the callback was requested but before it was invoked, causing a write on free:ed memory. This can happen if eglDestroySurface() is called shortly after eglSwapBuffers(). Note: This is a candidate for stable branches. Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
2026-05-05 18:18:06 +02:00 · 2012-10-28 00:50:12 +02:00 · 2012-10-28 00:50:12 +02:00 · a3b6b2d305
commit a3b6b2d305
parent 0b61f0b148
2 changed files with 6 additions and 0 deletions
--- a/src/egl/drivers/dri2/platform_wayland.c
+++ b/src/egl/drivers/dri2/platform_wayland.c
@ -213,6 +213,9 @@ dri2_destroy_surface(_EGLDriver *drv, _EGLDisplay *disp, _EGLSurface *surf)
                                    dri2_surf->third_buffer);
   }

+   if (dri2_surf->frame_callback)
+      wl_callback_destroy(dri2_surf->frame_callback);
+
   free(surf);

   return EGL_TRUE;
--- a/src/gallium/state_trackers/egl/wayland/native_wayland.c
+++ b/src/gallium/state_trackers/egl/wayland/native_wayland.c
@ -355,6 +355,9 @@ wayland_surface_destroy(struct native_surface *nsurf)
         wl_buffer_destroy(surface->buffer[buffer]);
   }

+   if (surface->frame_callback)
+      wl_callback_destroy(surface->frame_callback);
+
   resource_surface_destroy(surface->rsurf);
   FREE(surface);
 }