From de2536f4e48c1c21ce0d3eb6ff29de1aa8a5cc72 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Thu, 27 Sep 2012 11:34:15 +0200 Subject: [PATCH] wlt: toolkit: fix use after free of dp_fd We need to keep dp_fd alive for all calls to wl_display_*(). Otherwise, the callback will use it and access invalid memory. Signed-off-by: David Herrmann --- src/wlt_toolkit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wlt_toolkit.c b/src/wlt_toolkit.c index efbe32d..5f48341 100644 --- a/src/wlt_toolkit.c +++ b/src/wlt_toolkit.c @@ -896,9 +896,9 @@ void wlt_display_unref(struct wlt_display *disp) unload_cursors(disp); wl_display_remove_global_listener(disp->dp, disp->dp_listener); - ev_eloop_rm_fd(disp->dp_fd); wl_display_flush(disp->dp); wl_display_disconnect(disp->dp); + ev_eloop_rm_fd(disp->dp_fd); xkb_context_unref(disp->xkb_ctx); shl_hook_free(disp->listeners); ev_eloop_unref(disp->eloop);