exposay: Fix use after free when a view is destroyed during animation
Moving the destroy listener setup allows the animation completion handler
to be called before we free any structures it needs.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
diff --git a/desktop-shell/exposay.c b/desktop-shell/exposay.c
index 190dd0c..3d5d0c3 100644
--- a/desktop-shell/exposay.c
+++ b/desktop-shell/exposay.c
@@ -296,9 +296,6 @@
esurface->eoutput = eoutput;
esurface->view = view;
- esurface->view_destroy_listener.notify = handle_view_destroy;
- wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
-
esurface->row = i / eoutput->grid_size;
esurface->column = i % eoutput->grid_size;
@@ -322,6 +319,15 @@
exposay_animate_in(esurface);
+ /* We want our destroy handler to be after the animation
+ * destroy handler in the list, this way when the view is
+ * destroyed, the animation can safely call the animation
+ * completion callback before we free the esurface in our
+ * destroy handler.
+ */
+ esurface->view_destroy_listener.notify = handle_view_destroy;
+ wl_signal_add(&view->destroy_signal, &esurface->view_destroy_listener);
+
i++;
}