Fix use-after-free on xdg pong

With the xdg shell, ping is not related to a particular surface.
WaylandCompositor associates the pong with its original WindowSurface
with a map of the serial number to WindowSurface.

If the WindowSurface is destroyed before pong arrives, the map will have
an invalid pointer leading to a compositor crash.

Change-Id: Ide32ac80d42bf8373e8180e12ab89b29e6d00341
Reviewed-by: Robert Griebl <robert.griebl@qt.io>

2 files changed, 3 insertions, 2 deletions

diff --git a/src/window-lib/waylandcompositor.cpp b/src/window-lib/waylandcompositor.cpp
index 9a20154c..0f87f45d 100644
--- a/src/window-lib/waylandcompositor.cpp
+++ b/src/window-lib/waylandcompositor.cpp
@@ -180,7 +180,7 @@ void WaylandCompositor::xdgPing(WindowSurface* surface)
 
 void WaylandCompositor::onXdgPongReceived(uint serial)
 {
-    WindowSurface *surface = m_xdgPingMap.take(serial);
+    auto surface = m_xdgPingMap.take(serial);
     if (surface) {
         emit surface->pong();
     }
diff --git a/src/window-lib/waylandcompositor.h b/src/window-lib/waylandcompositor.h
index 968457c2..fb6ca1a1 100644
--- a/src/window-lib/waylandcompositor.h
+++ b/src/window-lib/waylandcompositor.h
@@ -53,6 +53,7 @@
 #include <QWaylandQuickItem>
 
 #include <QMap>
+#include <QPointer>
 
 QT_FORWARD_DECLARE_CLASS(QWaylandResource)
 QT_FORWARD_DECLARE_CLASS(QWaylandWlShell)
@@ -156,7 +157,7 @@ protected:
     QVector<QWaylandOutput *> m_outputs;
     WaylandQtAMServerExtension *m_amExtension;
     QWaylandTextInputManager *m_textInputManager;
-    QMap<uint, WindowSurface*> m_xdgPingMap;
+    QMap<uint, QPointer<WindowSurface>> m_xdgPingMap;
 };
 
 QT_END_NAMESPACE_AM