From f92329701b0983ec41fec29d3abc5c751cbe4a28 Mon Sep 17 00:00:00 2001 From: David Rosca Date: Tue, 19 Oct 2021 07:54:36 +0200 Subject: [PATCH] container: Fix crash when view unmaps + maps quickly Followup on 4e4898e90f. If a view quickly maps and unmaps repeatedly, there will be multiple destroyed containers with same view in a single transaction. Each of these containers will then try to destroy this view, resulting in use after free. The container should only destroy the view if the view still belongs to the container. Simple reproducer: couple XMapWindow + XUnmapWindow in a loop followed by XDestroyWindow. See #6605 --- sway/tree/container.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sway/tree/container.c b/sway/tree/container.c index e5149fb6..79e04ec0 100644 --- a/sway/tree/container.c +++ b/sway/tree/container.c @@ -80,10 +80,8 @@ void container_destroy(struct sway_container *con) { wlr_texture_destroy(con->marks_urgent); wlr_texture_destroy(con->marks_focused_tab_title); - if (con->view) { - if (con->view->container == con) { - con->view->container = NULL; - } + if (con->view && con->view->container == con) { + con->view->container = NULL; if (con->view->destroying) { view_destroy(con->view); }