From 053e0668a05031f6754570e702ad81f80132d5a8 Mon Sep 17 00:00:00 2001 From: llyyr Date: Sun, 18 Jan 2026 16:23:08 +0530 Subject: [PATCH] wayland: move info_done variable to vo_wayland vo_wayland_preferred_description_info is destroyed after info_done, so obviously we can't store it here. This causes a use-after-free. Embarrassing mistake Fixes: 7a7d871d0a6e19f5e25190709b0fe6370460d846 --- video/out/wayland_common.c | 6 +++--- video/out/wayland_common.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/video/out/wayland_common.c b/video/out/wayland_common.c index 495046eedd895..476034883151b 100644 --- a/video/out/wayland_common.c +++ b/video/out/wayland_common.c @@ -288,7 +288,6 @@ struct vo_wayland_text_input { struct vo_wayland_preferred_description_info { struct vo_wayland_state *wl; - bool info_done; struct pl_color_space csp; float min_luma; float max_luma; @@ -2140,7 +2139,7 @@ static void info_done(void *data, struct wp_image_description_info_v1 *image_des { struct vo_wayland_preferred_description_info *wd = data; struct vo_wayland_state *wl = wd->wl; - wd->info_done = true; + wl->image_description_info_done = true; wp_image_description_info_v1_destroy(image_description_info); if (!wd->icc_file) { MP_VERBOSE(wl, "Preferred surface feedback received:\n"); @@ -3110,10 +3109,11 @@ static void get_compositor_preferred_description(struct vo_wayland_state *wl) struct wp_image_description_info_v1 *description_info = wp_image_description_v1_get_information(image_description); struct wl_event_queue *image_description_info_queue = wl_display_create_queue_with_name(wl->display, "image description info queue"); + wl->image_description_info_done = false; wl_proxy_set_queue((struct wl_proxy *)description_info, image_description_info_queue); wp_image_description_info_v1_add_listener(description_info, &image_description_info_listener, wd); while (wl_display_dispatch_queue(wl->display, image_description_info_queue) > 0) - if (wd->info_done) + if (wl->image_description_info_done) break; wp_image_description_v1_destroy(image_description); wl_event_queue_destroy(image_description_info_queue); diff --git a/video/out/wayland_common.h b/video/out/wayland_common.h index eb7afcd00251a..309c59f249d2c 100644 --- a/video/out/wayland_common.h +++ b/video/out/wayland_common.h @@ -103,6 +103,7 @@ struct vo_wayland_state { void *icc_file; uint32_t icc_size; struct pl_color_space preferred_csp; + bool image_description_info_done; /* color-representation */ struct wp_color_representation_manager_v1 *color_representation_manager;