client: Set queued buffer busy

From the outside it doesn't matter if the buffer was really committed
or queued, it still in use. If it is not marked  busy QWaylandShmBackingStore
will delete when it is resized which can happen when the surface changes
screens or receives a new fractional scale resulting in a use after free
producing a crash or protocol error.

Pick-to: 6.6
Change-Id: I8abc4edbd8990af5114aa0b36c8ecedb37a4f0f6
Reviewed-by: David Edmundson <davidedmundson@kde.org>
Reviewed-by: Kai Uwe Broulik <kde@privat.broulik.de>

2 files changed, 6 insertions, 2 deletions

diff --git a/src/client/qwaylandbuffer_p.h b/src/client/qwaylandbuffer_p.h
index 381debc81..3798ef3eb 100644
--- a/src/client/qwaylandbuffer_p.h
+++ b/src/client/qwaylandbuffer_p.h
@@ -37,7 +37,7 @@ public:
     virtual QSize size() const = 0;
     virtual int scale() const { return 1; }
 
-    void setBusy() { mBusy = true; }
+    void setBusy(bool busy) { mBusy = busy; }
     bool busy() const { return mBusy; }
 
     void setCommitted() { mCommitted = true; }
diff --git a/src/client/qwaylandwindow.cpp b/src/client/qwaylandwindow.cpp
index d7bb6c652..c5316542e 100644
--- a/src/client/qwaylandwindow.cpp
+++ b/src/client/qwaylandwindow.cpp
@@ -681,7 +681,7 @@ void QWaylandWindow::attach(QWaylandBuffer *buffer, int x, int y)
     if (buffer) {
         Q_ASSERT(!buffer->committed());
         handleUpdate();
-        buffer->setBusy();
+        buffer->setBusy(true);
 
         mSurface->attach(buffer->buffer(), x, y);
     } else {
@@ -713,7 +713,11 @@ void QWaylandWindow::safeCommit(QWaylandBuffer *buffer, const QRegion &damage)
     if (isExposed()) {
         commit(buffer, damage);
     } else {
+        if (mQueuedBuffer) {
+            mQueuedBuffer->setBusy(false);
+        }
         mQueuedBuffer = buffer;
+        mQueuedBuffer->setBusy(true);
         mQueuedBufferDamage = damage;
     }
 }