From: Consolatis <35009135+Consolatis@users.noreply.github.com>
Date: Fri, 4 Jul 2025 22:15:53 +0000 (+0200)
Subject: Fix UAF when granting an output lease
X-Git-Url: https://git.mdlowis.com/?a=commitdiff_plain;h=4699d446cbf3d3deecd044ffe94598b41bfee47c;p=proto%2Flabwc.git

Fix UAF when granting an output lease

Wlroots now destroys the wlr_output when granting a lease.
So we can't iterate through the outputs in the request after
granting the lease. This is also not necessary anymore because
they are already destroyed and thus removed from the layout.
---

diff --git a/include/labwc.h b/include/labwc.h
index 2e031d49..cff78588 100644
--- a/include/labwc.h
+++ b/include/labwc.h
@@ -433,7 +433,6 @@ struct output {
 	struct wl_listener frame;
 	struct wl_listener request_state;
 
-	bool leased;
 	bool gamma_lut_changed;
 };
 
diff --git a/src/output.c b/src/output.c
index 00e1faf0..85157c7d 100644
--- a/src/output.c
+++ b/src/output.c
@@ -609,7 +609,7 @@ output_config_apply(struct server *server,
 		struct wlr_output *o = head->state.output;
 		struct output *output = output_from_wlr_output(server, o);
 		struct wlr_output_state *os = &output->pending;
-		bool output_enabled = head->state.enabled && !output->leased;
+		bool output_enabled = head->state.enabled;
 
 		wlr_output_state_set_enabled(os, output_enabled);
 		if (output_enabled) {
@@ -1006,7 +1006,7 @@ bool
 output_is_usable(struct output *output)
 {
 	/* output_is_usable(NULL) is safe and returns false */
-	return output && output->wlr_output->enabled && !output->leased;
+	return output && output->wlr_output->enabled;
 }
 
 /* returns true if usable area changed */
diff --git a/src/server.c b/src/server.c
index 3666d86a..214885b1 100644
--- a/src/server.c
+++ b/src/server.c
@@ -183,22 +183,6 @@ handle_drm_lease_request(struct wl_listener *listener, void *data)
 		wlr_drm_lease_request_v1_reject(req);
 		return;
 	}
-
-	for (size_t i = 0; i < req->n_connectors; ++i) {
-		struct output *output = req->connectors[i]->output->data;
-		if (!output) {
-			continue;
-		}
-
-		wlr_output_state_set_enabled(&output->pending, false);
-		output_state_commit(output);
-
-		wlr_output_layout_remove(output->server->output_layout,
-			output->wlr_output);
-		output->scene_output = NULL;
-
-		output->leased = true;
-	}
 }
 
 static bool