client: Set queued buffer busy

From the outside it doesn't matter if the buffer was really committed or queued, it still in use. If it is not marked busy QWaylandShmBackingStore will delete when it is resized which can happen when the surface changes screens or receives a new fractional scale resulting in a use after free producing a crash or protocol error. Pick-to: 6.6 Change-Id: I8abc4edbd8990af5114aa0b36c8ecedb37a4f0f6 Reviewed-by: David Edmundson <[email protected]> Reviewed-by: Kai Uwe Broulik <[email protected]>
qt · Aug 3, 2023 · 39a0039 · 39a0039
1 parent fa2a7b2
commit 39a0039
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/client/qwaylandbuffer_p.h b/src/client/qwaylandbuffer_p.h
@@ -37,7 +37,7 @@ class Q_WAYLANDCLIENT_EXPORT QWaylandBuffer {
  virtual QSize size() const = 0;
  virtual int scale() const { return 1; }
 
- void setBusy() { mBusy = true; }
+ void setBusy(bool busy) { mBusy = busy; }
  bool busy() const { return mBusy; }
 
  void setCommitted() { mCommitted = true; }

diff --git a/src/client/qwaylandwindow.cpp b/src/client/qwaylandwindow.cpp
@@ -681,7 +681,7 @@ void QWaylandWindow::attach(QWaylandBuffer *buffer, int x, int y)
  if (buffer) {
  Q_ASSERT(!buffer->committed());
  handleUpdate();
- buffer->setBusy();
+ buffer->setBusy(true);
 
  mSurface->attach(buffer->buffer(), x, y);
  } else {
@@ -713,7 +713,11 @@ void QWaylandWindow::safeCommit(QWaylandBuffer *buffer, const QRegion &damage)
  if (isExposed()) {
  commit(buffer, damage);
  } else {
+ if (mQueuedBuffer) {
+ mQueuedBuffer->setBusy(false);
+ }
  mQueuedBuffer = buffer;
+ mQueuedBuffer->setBusy(true);
  mQueuedBufferDamage = damage;
  }
 }