gdk/wayland: Handle disorderly tablet/pad disconnects

If the tablet gets removed/freed while there are pad events in flight,
we leave a dangling pointer from the pad to the tablet, which may
lead to invalid reads/writes when handling the pad event(s).

diff --git a/gdk/wayland/gdkdevice-wayland.c b/gdk/wayland/gdkdevice-wayland.c
index 4dde7a600a391f93b7c739d90a6f0b3cf5d20b7d..65e556abee257dfa57a2e24b7e9967c70a8881d1 100644 (file)
--- a/gdk/wayland/gdkdevice-wayland.c
+++ b/gdk/wayland/gdkdevice-wayland.c
@@ -2788,6 +2788,14 @@ _gdk_wayland_seat_remove_tablet (GdkWaylandSeat       *seat,
   gdk_seat_device_removed (GDK_SEAT (seat), tablet->eraser_device);
   gdk_seat_device_removed (GDK_SEAT (seat), tablet->master);
 
+  while (tablet->pads)
+    {
+      GdkWaylandTabletPadData *pad = tablet->pads->data;
+
+      pad->current_tablet = NULL;
+      tablet->pads = g_list_remove (tablet->pads, pad);
+    }
+
   zwp_tablet_v2_destroy (tablet->wp_tablet);
 
   _gdk_device_set_associated_device (tablet->master, NULL);