From: John Lindgren <john@jlindgren.net>
Date: Thu, 15 Sep 2022 23:50:07 +0000 (-0400)
Subject: keyboard: Fix use-after-free in keyboard_finish()
X-Git-Url: https://git.mdlowis.com/?a=commitdiff_plain;h=086a887058b24d97ef3091424a6bbedec359aeb5;p=proto%2Flabwc.git

keyboard: Fix use-after-free in keyboard_finish()
---

diff --git a/src/keyboard.c b/src/keyboard.c
index 2d44a9db..364e8048 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -241,8 +241,15 @@ void
 keyboard_finish(struct seat *seat)
 {
 	if (seat->keyboard_group) {
+		/*
+		 * Caution - these event listeners are connected to
+		 * seat->keyboard_group->keyboard and must be
+		 * unregistered before wlr_keyboard_group_destroy(),
+		 * otherwise a use-after-free occurs.
+		 */
+		wl_list_remove(&seat->keyboard_key.link);
+		wl_list_remove(&seat->keyboard_modifiers.link);
 		wlr_keyboard_group_destroy(seat->keyboard_group);
+		seat->keyboard_group = NULL;
 	}
-	wl_list_remove(&seat->keyboard_key.link);
-	wl_list_remove(&seat->keyboard_modifiers.link);
 }