libweston: fix possible crash after a view is removed the layer
weston_compositor_build_view_list can reconstruct the view_list without a view which was
previously in it. The existing pointers in view->link are left unchanged, which could
lead to corruption or access to released memory in wl_list_remove, depending of the
order of destruction of the views.
This can happen at least with the black view created by the desktop shell for fullscreen
surfaces, when it is hidden in lower_fullscreen_layer.
Signed-off-by: Loïc Yhuel <loic.yhuel@softathome.com>
diff --git a/libweston/compositor.c b/libweston/compositor.c
index f726364..63f3880 100644
--- a/libweston/compositor.c
+++ b/libweston/compositor.c
@@ -2569,14 +2569,17 @@
static void
weston_compositor_build_view_list(struct weston_compositor *compositor)
{
- struct weston_view *view;
+ struct weston_view *view, *tmp;
struct weston_layer *layer;
wl_list_for_each(layer, &compositor->layer_list, link)
wl_list_for_each(view, &layer->view_list.link, layer_link.link)
surface_stash_subsurface_views(view->surface);
+ wl_list_for_each_safe(view, tmp, &compositor->view_list, link)
+ wl_list_init(&view->link);
wl_list_init(&compositor->view_list);
+
wl_list_for_each(layer, &compositor->layer_list, link) {
wl_list_for_each(view, &layer->view_list.link, layer_link.link) {
view_list_add(compositor, view);