From 20756a07cdcebb08049412902ea6f535cc9cd626 Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Wed, 9 Oct 2024 22:28:22 +1100 Subject: [PATCH] Fix #128766: crash dropping files with Wayland Dropping files could crash ~10% of the time on some systems, although I wasn't able to reproduce the error. The ownership of GWL_Seat::data_offer_dnd wasn't handled correctly, where the value could be handled by both wl_data_device_listener::leave & drop callbacks. Resolve by ensuring the data-offer is handled by the drop callback. --- intern/ghost/intern/GHOST_SystemWayland.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/intern/ghost/intern/GHOST_SystemWayland.cc b/intern/ghost/intern/GHOST_SystemWayland.cc index 52cf7adc5cc..aebdf7ac8c7 100644 --- a/intern/ghost/intern/GHOST_SystemWayland.cc +++ b/intern/ghost/intern/GHOST_SystemWayland.cc @@ -3507,6 +3507,10 @@ static void data_device_handle_drop(void *data, wl_data_device * /*wl_data_devic * because the data-offer has not been accepted (actions set... etc). */ GWL_DataOffer *data_offer = seat->data_offer_dnd; + /* Take ownership of `data_offer` to prevent a double-free, see: #128766. + * The thread this function spawns is responsible for freeing it. */ + seat->data_offer_dnd = nullptr; + /* Use a blank string for `mime_receive` to prevent crashes, although could also be `nullptr`. * Failure to set this to a known type just means the file won't have any special handling. * GHOST still generates a dropped file event. @@ -3540,9 +3544,6 @@ static void data_device_handle_drop(void *data, wl_data_device * /*wl_data_devic wl_data_offer_finish(data_offer->wl.id); wl_data_offer_destroy(data_offer->wl.id); - if (seat->data_offer_dnd == data_offer) { - seat->data_offer_dnd = nullptr; - } delete data_offer; data_offer = nullptr;