Fix use-after-free with animated cursors

In WlCallback::callback_done(), m_fn() can cause the callback object to be deleted, so it should not be referenced after that. Since m_autoDelete is never set to true, the rest of callback_done() is dead code and can be removed. Fixes: QTBUG-117067 Pick-to: 6.6 6.5 Change-Id: I0b1a1fcb8204cba789272f3861be4c2e2d0789b4 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> Reviewed-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
2023-09-18 12:06:16 +02:00 · 2023-09-18 12:06:16 +02:00 · fa89154807
commit fa89154807
parent 379235e6ac
1 changed files with 1 additions and 8 deletions
--- a/src/plugins/platforms/wayland/qwaylandinputdevice.cpp
+++ b/src/plugins/platforms/wayland/qwaylandinputdevice.cpp
@ -155,23 +155,16 @@ QWaylandWindow *QWaylandInputDevice::Pointer::focusWindow() const

 class WlCallback : public QtWayland::wl_callback {
 public:
-    explicit WlCallback(::wl_callback *callback, std::function<void(uint32_t)> fn, bool autoDelete = false)
+    explicit WlCallback(::wl_callback *callback, std::function<void(uint32_t)> fn)
        : QtWayland::wl_callback(callback)
        , m_fn(fn)
-        , m_autoDelete(autoDelete)
    {}
    ~WlCallback() override { wl_callback_destroy(object()); }
-    bool done() const { return m_done; }
    void callback_done(uint32_t callback_data) override {
-        m_done = true;
        m_fn(callback_data);
-        if (m_autoDelete)
-            delete this;
    }
 private:
-    bool m_done = false;
    std::function<void(uint32_t)> m_fn;
-    bool m_autoDelete = false;
 };

 class CursorSurface : public QWaylandSurface