From d8156e22f6277cf6875c48f566076b61cdb01806 Mon Sep 17 00:00:00 2001 From: Derek Foreman Date: Tue, 26 May 2015 16:21:05 -0500 Subject: [PATCH] exposay: Fix use after free when a view is destroyed during animation Moving the destroy listener setup allows the animation completion handler to be called before we free any structures it needs. Signed-off-by: Derek Foreman --- desktop-shell/exposay.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/desktop-shell/exposay.c b/desktop-shell/exposay.c index 190dd0c0d..3d5d0c339 100644 --- a/desktop-shell/exposay.c +++ b/desktop-shell/exposay.c @@ -296,9 +296,6 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output) esurface->eoutput = eoutput; esurface->view = view; - esurface->view_destroy_listener.notify = handle_view_destroy; - wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener); - esurface->row = i / eoutput->grid_size; esurface->column = i % eoutput->grid_size; @@ -322,6 +319,15 @@ exposay_layout(struct desktop_shell *shell, struct shell_output *shell_output) exposay_animate_in(esurface); + /* We want our destroy handler to be after the animation + * destroy handler in the list, this way when the view is + * destroyed, the animation can safely call the animation + * completion callback before we free the esurface in our + * destroy handler. + */ + esurface->view_destroy_listener.notify = handle_view_destroy; + wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener); + i++; }