Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
swaynag: fix use-after-fere in wl_display_dispatch
When destroying swaynag from within wl_display_dispatch, we cannot
disconnect the display as that will free the queue's event_list.
Free it after running the loop instead.
Fixes this use-after-free (you need a wayland compiled with asan,
my wl_list hack, or running with valgrind to see this trace):
==7312==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000110 at pc 0x000000412a9f bp 0x7ffd4e811760 sp 0x7ffd4e811750
READ of size 8 at 0x612000000110 thread T0
#0 0x412a9e in wl_list_empty ../common/list.c:206
swaywm#1 0x7f5b58f0d42f in dispatch_queue src/wayland-client.c:1572
swaywm#2 0x7f5b58f0d42f in wl_display_dispatch_queue_pending src/wayland-client.c:1815
swaywm#3 0x40f465 in swaynag_run ../swaynag/swaynag.c:390
swaywm#4 0x407576 in main ../swaynag/main.c:123
swaywm#5 0x7f5b58bb9412 in __libc_start_main ../csu/libc-start.c:308
swaywm#6 0x404a3d in _start (/opt/wayland/bin/swaynag+0x404a3d)
0x612000000110 is located 208 bytes inside of 320-byte region [0x612000000040,0x612000000180)
freed by thread T0 here:
#0 0x7f5b594ab480 in free (/lib64/libasan.so.5+0xef480)
swaywm#1 0x40faff in swaynag_destroy ../swaynag/swaynag.c:454
swaywm#2 0x40cbb4 in layer_surface_closed ../swaynag/swaynag.c:82
swaywm#3 0x7f5b583e1acd in ffi_call_unix64 (/lib64/libffi.so.6+0x6acd)
previously allocated by thread T0 here:
#0 0x7f5b594aba50 in __interceptor_calloc (/lib64/libasan.so.5+0xefa50)
swaywm#1 0x7f5b58f0c902 in wl_display_connect_to_fd src/wayland-private.h:236- Loading branch information
