From 51ee6e5ceb0cacc8e2fa225ad5391ffb159e36a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Mon, 7 Sep 2020 18:39:17 +0200
Subject: [PATCH] xwayland: Check window pixmap in xwl_present_check_flip2

We can only flip if the window pixmap matches that of the toplevel
window. Doing so regardless could cause the toplevel window pixmap to
get destroyed while it was still referenced by the window, resulting in
use-after-free and likely a crash.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1033
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Roman Gilg <subdiff@gmail.com>
(cherry picked from commit 4c25356d6cd908c5030c70e712076dff318ac00d)
---
 hw/xwayland/xwayland-present.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 6076f6498..d177abdd8 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -421,10 +421,18 @@ xwl_present_check_flip2(RRCrtcPtr crtc,
                         PresentFlipReason *reason)
 {
     struct xwl_window *xwl_window = xwl_window_from_window(present_window);
+    ScreenPtr screen = pixmap->drawable.pScreen;
 
     if (!xwl_window)
         return FALSE;
 
+    /* Can't flip if the window pixmap doesn't match the xwl_window parent
+     * window's, e.g. because a client redirected this window or one of its
+     * parents.
+     */
+    if (screen->GetWindowPixmap(xwl_window->window) != screen->GetWindowPixmap(present_window))
+        return FALSE;
+
     /*
      * We currently only allow flips of windows, that have the same
      * dimensions as their xwl_window parent window. For the case of