From 39a003942ebab39a1d3b8bc64f41d0c68e92f4bf Mon Sep 17 00:00:00 2001 From: David Redondo Date: Wed, 2 Aug 2023 16:43:29 +0200 Subject: client: Set queued buffer busy From the outside it doesn't matter if the buffer was really committed or queued, it still in use. If it is not marked busy QWaylandShmBackingStore will delete when it is resized which can happen when the surface changes screens or receives a new fractional scale resulting in a use after free producing a crash or protocol error. Pick-to: 6.6 Change-Id: I8abc4edbd8990af5114aa0b36c8ecedb37a4f0f6 Reviewed-by: David Edmundson Reviewed-by: Kai Uwe Broulik --- src/client/qwaylandbuffer_p.h | 2 +- src/client/qwaylandwindow.cpp | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'src/client') diff --git a/src/client/qwaylandbuffer_p.h b/src/client/qwaylandbuffer_p.h index 381debc81..3798ef3eb 100644 --- a/src/client/qwaylandbuffer_p.h +++ b/src/client/qwaylandbuffer_p.h @@ -37,7 +37,7 @@ public: virtual QSize size() const = 0; virtual int scale() const { return 1; } - void setBusy() { mBusy = true; } + void setBusy(bool busy) { mBusy = busy; } bool busy() const { return mBusy; } void setCommitted() { mCommitted = true; } diff --git a/src/client/qwaylandwindow.cpp b/src/client/qwaylandwindow.cpp index d7bb6c652..c5316542e 100644 --- a/src/client/qwaylandwindow.cpp +++ b/src/client/qwaylandwindow.cpp @@ -681,7 +681,7 @@ void QWaylandWindow::attach(QWaylandBuffer *buffer, int x, int y) if (buffer) { Q_ASSERT(!buffer->committed()); handleUpdate(); - buffer->setBusy(); + buffer->setBusy(true); mSurface->attach(buffer->buffer(), x, y); } else { @@ -713,7 +713,11 @@ void QWaylandWindow::safeCommit(QWaylandBuffer *buffer, const QRegion &damage) if (isExposed()) { commit(buffer, damage); } else { + if (mQueuedBuffer) { + mQueuedBuffer->setBusy(false); + } mQueuedBuffer = buffer; + mQueuedBuffer->setBusy(true); mQueuedBufferDamage = damage; } } -- cgit v1.2.3