xwayland: Check window pixmap in xwl_present_check_flip2

We can only flip if the window pixmap matches that of the toplevel window. Doing so regardless could cause the toplevel window pixmap to get destroyed while it was still referenced by the window, resulting in use-after-free and likely a crash. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1033 Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Roman Gilg <subdiff@gmail.com>
author: Michel Dänzer <mdaenzer@redhat.com> 2020-08-27 18:36:15 +0200
committer: Michel Dänzer <michel@daenzer.net> 2020-09-07 17:55:12 +0200
commit: 4c25356d6cd908c5030c70e712076dff318ac00d (patch)
tree: a62888cc6c7c0830adc93eea8d830c48a7e340e0
parent: 7ac303c7b1e3b1be79ba3648e217798683e65a99 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index a4ecdada4..afcd03187 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -399,10 +399,18 @@ xwl_present_check_flip2(RRCrtcPtr crtc,
                         PresentFlipReason *reason)
 {
     struct xwl_window *xwl_window = xwl_window_from_window(present_window);
+    ScreenPtr screen = pixmap->drawable.pScreen;
 
     if (!xwl_window)
         return FALSE;
 
+    /* Can't flip if the window pixmap doesn't match the xwl_window parent
+     * window's, e.g. because a client redirected this window or one of its
+     * parents.
+     */
+    if (screen->GetWindowPixmap(xwl_window->window) != screen->GetWindowPixmap(present_window))
+        return FALSE;
+
     /*
      * We currently only allow flips of windows, that have the same
      * dimensions as their xwl_window parent window. For the case of
author	Michel Dänzer <mdaenzer@redhat.com>	2020-08-27 18:36:15 +0200
committer	Michel Dänzer <michel@daenzer.net>	2020-09-07 17:55:12 +0200
commit	4c25356d6cd908c5030c70e712076dff318ac00d (patch)
tree	a62888cc6c7c0830adc93eea8d830c48a7e340e0
parent	7ac303c7b1e3b1be79ba3648e217798683e65a99 (diff)