vinzenz/nova-shell
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

qtbase patch: guard surface_enter/leave against stale wl_output proxies

Browse source
This commit is contained in:
Damocles 2026-04-20 17:00:13 +02:00
parent d247f64cac
commit 6a8b38c73a
1 changed files with 27 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
nix/patches/qtbase-wayland-screen-uaf.patch
View file

@ -91,7 +91,7 @@ index 29952886..88b57945 100644
QWaylandIntegration *mWaylandIntegration = nullptr; QWaylandIntegration *mWaylandIntegration = nullptr;
#if QT_CONFIG(cursor) #if QT_CONFIG(cursor)
diff --git a/src/plugins/platforms/wayland/qwaylandsurface.cpp b/src/plugins/platforms/wayland/qwaylandsurface.cpp diff --git a/src/plugins/platforms/wayland/qwaylandsurface.cpp b/src/plugins/platforms/wayland/qwaylandsurface.cpp
index 274fdda8..fd098066 100644 index 274fdda8..a881b9d1 100644
--- a/src/plugins/platforms/wayland/qwaylandsurface.cpp --- a/src/plugins/platforms/wayland/qwaylandsurface.cpp
+++ b/src/plugins/platforms/wayland/qwaylandsurface.cpp +++ b/src/plugins/platforms/wayland/qwaylandsurface.cpp
@@ -13,18 +13,31 @@ namespace QtWaylandClient { @@ -13,18 +13,31 @@ namespace QtWaylandClient {
@ -126,6 +126,32 @@ index 274fdda8..fd098066 100644
for (auto *screen : std::as_const(m_screens)) { for (auto *screen : std::as_const(m_screens)) {
// only report valid screens // only report valid screens
// we can have some ouptuts waiting for xdg output information // we can have some ouptuts waiting for xdg output information
@@ -60,6 +73,14 @@ void QWaylandSurface::surface_enter(wl_output *output)
if (!addedScreen)
return;
+ // The wl_output proxy argument was resolved at demarshal time (when the
+ // event was read from the socket). If a preceding event in the same
+ // dispatch batch destroyed the proxy, fromWlOutput may return a stale
+ // QWaylandScreen pointer from freed proxy memory. Validate against the
+ // display's live screen lists before using.
+ if (m_display && !m_display->isScreenAlive(addedScreen))
+ return;
+
if (m_screens.contains(addedScreen)) {
qCWarning(lcQpaWayland)
<< "Ignoring unexpected wl_surface.enter received for output with id:"
@@ -80,6 +101,10 @@ void QWaylandSurface::surface_leave(wl_output *output)
if (!removedScreen)
return;
+ // See comment in surface_enter: the proxy may be stale.
+ if (m_display && !m_display->isScreenAlive(removedScreen))
+ return;
+
bool wasRemoved = m_screens.removeOne(removedScreen);
if (!wasRemoved) {
qCWarning(lcQpaWayland)
diff --git a/src/plugins/platforms/wayland/qwaylandsurface_p.h b/src/plugins/platforms/wayland/qwaylandsurface_p.h diff --git a/src/plugins/platforms/wayland/qwaylandsurface_p.h b/src/plugins/platforms/wayland/qwaylandsurface_p.h
index 41860297..ddb63b04 100644 index 41860297..ddb63b04 100644
--- a/src/plugins/platforms/wayland/qwaylandsurface_p.h --- a/src/plugins/platforms/wayland/qwaylandsurface_p.h