From f9b92b4668cbffe3efc75a04dd1bae415e7077ad Mon Sep 17 00:00:00 2001 From: Furkan Sahin Date: Fri, 21 Mar 2025 18:35:36 +0100 Subject: server: recreate renderer in idle callback to avoid UAF Destroying the wlr_renderer in a callback to its own renderer_lost event is unsafe due to wl_signal_emit*() still accessing it after it was destroyed. Delegate recreation of renderer to an idle callback and ensure that only one such idle callback is scheduled at a time by storing the returned event source. --- include/sway/server.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/sway/server.h b/include/sway/server.h index feb516c5..b1d7523c 100644 --- a/include/sway/server.h +++ b/include/sway/server.h @@ -46,6 +46,7 @@ struct sway_server { struct wl_listener new_output; struct wl_listener renderer_lost; + struct wl_event_source *recreating_renderer; struct wlr_idle_notifier_v1 *idle_notifier_v1; struct sway_idle_inhibit_manager_v1 idle_inhibit_manager_v1; -- cgit v1.2.3