On Mon, Nov 26, 2012 at 11:25:53PM +0100, Jonas Ådahl wrote: > Since wl_display_dispatch() returns the number of processed events or -1 > on error, only cancel the roundtrip if an -1 is returned. > > This also fixes a potential memory corruption bug happening when > wl_display_roundtrip() does an early return and the callback later > writes to the then out of scope stack allocated `done' parameter. > > Introduced by 33b7637b4500a682018b503837b8aca9afae36f2.
Ah, very nasty. Thanks for figuring this out. Kristian > Signed-off-by: Jonas Ådahl <[email protected]> > --- > src/wayland-client.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/wayland-client.c b/src/wayland-client.c > index 5fecc01..5ba2c45 100644 > --- a/src/wayland-client.c > +++ b/src/wayland-client.c > @@ -649,9 +649,12 @@ wl_display_roundtrip(struct wl_display *display) > done = 0; > callback = wl_display_sync(display); > wl_callback_add_listener(callback, &sync_listener, &done); > - while (!done && !ret) > + while (!done && ret >= 0) > ret = wl_display_dispatch(display); > > + if (ret == -1 && !done) > + wl_callback_destroy(callback); > + > return ret; > } > > -- > 1.7.10.4 > > _______________________________________________ > wayland-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/wayland-devel _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
