backend/drm: fix segfault in init_drm_surface (!58) · Merge requests · Librem5 / wlroots

Guido Gunther requested to merge guido.gunther/wlroots:mrs/render-crash into librem5-0.8.x Dec 05, 2019

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm.

Closes: https://github.com/swaywm/wlroots/issues/1868 Closes: https://github.com/swaywm/wlroots/issues/1874 Closes: https://github.com/swaywm/sway/issues/4785 Closes: https://github.com/swaywm/sway/issues/4717 Closes: https://github.com/swaywm/sway/issues/4730 Fixes: 2bdd1d08 ("backend/drm: use modifiers for our GBM buffers") (cherry picked from commit 6ca82087)

i think i've seen that in the wild (although we don't currently carry 2bdd1d08)

Edited Dec 05, 2019 by Guido Gunther

Admin message

backend/drm: fix segfault in init_drm_surface

Merge request reports