From dfd79cf19dcebf283bd884dded8efc83e449016d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 19 Nov 2018 11:25:57 +0100
Subject: [PATCH 07/28] clutter: Keep a device reference with events

If a device (virtual or real) is removed while there are remaining
events queued for that device, the event loop may try to access the
event freed memory.

To avoid the issue, add a reference to the device when the event is
created or copied, and remove the reference once the device is freed.

Closes: https://gitlab.gnome.org/GNOME/mutter/issues/393
---
 clutter/clutter/clutter-event.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/clutter/clutter/clutter-event.c b/clutter/clutter/clutter-event.c
index 10b6c0082..1b21b6a97 100644
--- a/clutter/clutter/clutter-event.c
+++ b/clutter/clutter/clutter-event.c
@@ -1068,61 +1068,61 @@ clutter_event_get_device_type (const ClutterEvent *event)
 
   g_return_val_if_fail (event != NULL, CLUTTER_POINTER_DEVICE);
 
   device = clutter_event_get_device (event);
   if (device != NULL)
     return clutter_input_device_get_device_type (device);
 
   return CLUTTER_POINTER_DEVICE;
 }
 
 /**
  * clutter_event_set_device:
  * @event: a #ClutterEvent
  * @device: (allow-none): a #ClutterInputDevice, or %NULL
  *
  * Sets the device for @event.
  *
  * Since: 1.6
  */
 void
 clutter_event_set_device (ClutterEvent       *event,
                           ClutterInputDevice *device)
 {
   g_return_if_fail (event != NULL);
   g_return_if_fail (device == NULL || CLUTTER_IS_INPUT_DEVICE (device));
 
   if (is_event_allocated (event))
     {
       ClutterEventPrivate *real_event = (ClutterEventPrivate *) event;
 
-      real_event->device = device;
+      g_set_object (&real_event->device, device);
     }
 
   switch (event->type)
     {
     case CLUTTER_NOTHING:
     case CLUTTER_STAGE_STATE:
     case CLUTTER_DESTROY_NOTIFY:
     case CLUTTER_CLIENT_MESSAGE:
     case CLUTTER_DELETE:
     case CLUTTER_EVENT_LAST:
       break;
 
     case CLUTTER_ENTER:
     case CLUTTER_LEAVE:
       event->crossing.device = device;
       break;
 
     case CLUTTER_BUTTON_PRESS:
     case CLUTTER_BUTTON_RELEASE:
       event->button.device = device;
       break;
 
     case CLUTTER_MOTION:
       event->motion.device = device;
       break;
 
     case CLUTTER_SCROLL:
       event->scroll.device = device;
       break;
 
@@ -1337,62 +1337,62 @@ clutter_event_new (ClutterEventType type)
   return new_event;
 }
 
 /**
  * clutter_event_copy:
  * @event: A #ClutterEvent.
  *
  * Copies @event.
  *
  * Return value: (transfer full): A newly allocated #ClutterEvent
  */
 ClutterEvent *
 clutter_event_copy (const ClutterEvent *event)
 {
   ClutterEvent *new_event;
   ClutterEventPrivate *new_real_event;
   ClutterInputDevice *device;
   gint n_axes = 0;
 
   g_return_val_if_fail (event != NULL, NULL);
 
   new_event = clutter_event_new (CLUTTER_NOTHING);
   new_real_event = (ClutterEventPrivate *) new_event;
 
   *new_event = *event;
 
   if (is_event_allocated (event))
     {
       ClutterEventPrivate *real_event = (ClutterEventPrivate *) event;
 
-      new_real_event->device = real_event->device;
-      new_real_event->source_device = real_event->source_device;
+      g_set_object (&new_real_event->device, real_event->device);
+      g_set_object (&new_real_event->source_device, real_event->source_device);
       new_real_event->delta_x = real_event->delta_x;
       new_real_event->delta_y = real_event->delta_y;
       new_real_event->is_pointer_emulated = real_event->is_pointer_emulated;
       new_real_event->base_state = real_event->base_state;
       new_real_event->button_state = real_event->button_state;
       new_real_event->latched_state = real_event->latched_state;
       new_real_event->locked_state = real_event->locked_state;
       new_real_event->tool = real_event->tool;
     }
 
   device = clutter_event_get_device (event);
   if (device != NULL)
     n_axes = clutter_input_device_get_n_axes (device);
 
   switch (event->type)
     {
     case CLUTTER_BUTTON_PRESS:
     case CLUTTER_BUTTON_RELEASE:
       if (event->button.axes != NULL)
         new_event->button.axes = g_memdup (event->button.axes,
                                            sizeof (gdouble) * n_axes);
       break;
 
     case CLUTTER_SCROLL:
       if (event->scroll.axes != NULL)
         new_event->scroll.axes = g_memdup (event->scroll.axes,
                                            sizeof (gdouble) * n_axes);
       break;
 
     case CLUTTER_MOTION:
@@ -1408,60 +1408,68 @@ clutter_event_copy (const ClutterEvent *event)
       if (event->touch.axes != NULL)
         new_event->touch.axes = g_memdup (event->touch.axes,
                                           sizeof (gdouble) * n_axes);
       break;
 
     default:
       break;
     }
 
   if (is_event_allocated (event))
     _clutter_backend_copy_event_data (clutter_get_default_backend (),
                                       event,
                                       new_event);
 
   return new_event;
 }
 
 /**
  * clutter_event_free:
  * @event: A #ClutterEvent.
  *
  * Frees all resources used by @event.
  */
 void
 clutter_event_free (ClutterEvent *event)
 {
   if (G_LIKELY (event != NULL))
     {
       _clutter_backend_free_event_data (clutter_get_default_backend (), event);
 
+      if (is_event_allocated (event))
+        {
+          ClutterEventPrivate *real_event = (ClutterEventPrivate *) event;
+
+          g_clear_object (&real_event->device);
+          g_clear_object (&real_event->source_device);
+        }
+
       switch (event->type)
         {
         case CLUTTER_BUTTON_PRESS:
         case CLUTTER_BUTTON_RELEASE:
           g_free (event->button.axes);
           break;
 
         case CLUTTER_MOTION:
           g_free (event->motion.axes);
           break;
 
         case CLUTTER_SCROLL:
           g_free (event->scroll.axes);
           break;
 
         case CLUTTER_TOUCH_BEGIN:
         case CLUTTER_TOUCH_UPDATE:
         case CLUTTER_TOUCH_END:
         case CLUTTER_TOUCH_CANCEL:
           g_free (event->touch.axes);
           break;
 
         default:
           break;
         }
 
       g_hash_table_remove (all_events, event);
       g_slice_free (ClutterEventPrivate, (ClutterEventPrivate *) event);
     }
 }
@@ -1662,61 +1670,61 @@ clutter_event_get_source_device (const ClutterEvent *event)
   if (real_event->source_device != NULL)
     return real_event->source_device;
 
   return clutter_event_get_device (event);
 }
 
 /**
  * clutter_event_set_source_device:
  * @event: a #ClutterEvent
  * @device: (allow-none): a #ClutterInputDevice
  *
  * Sets the source #ClutterInputDevice for @event.
  *
  * The #ClutterEvent must have been created using clutter_event_new().
  *
  * Since: 1.8
  */
 void
 clutter_event_set_source_device (ClutterEvent       *event,
                                  ClutterInputDevice *device)
 {
   ClutterEventPrivate *real_event;
 
   g_return_if_fail (event != NULL);
   g_return_if_fail (device == NULL || CLUTTER_IS_INPUT_DEVICE (device));
 
   if (!is_event_allocated (event))
     return;
 
   real_event = (ClutterEventPrivate *) event;
-  real_event->source_device = device;
+  g_set_object (&real_event->source_device, device);
 }
 
 /**
  * clutter_event_get_axes:
  * @event: a #ClutterEvent
  * @n_axes: (out): return location for the number of axes returned
  *
  * Retrieves the array of axes values attached to the event.
  *
  * Return value: (transfer none): an array of axis values
  *
  * Since: 1.6
  */
 gdouble *
 clutter_event_get_axes (const ClutterEvent *event,
                         guint              *n_axes)
 {
   gdouble *retval = NULL;
   guint len = 0;
 
   switch (event->type)
     {
     case CLUTTER_NOTHING:
     case CLUTTER_STAGE_STATE:
     case CLUTTER_DESTROY_NOTIFY:
     case CLUTTER_CLIENT_MESSAGE:
     case CLUTTER_DELETE:
     case CLUTTER_ENTER:
     case CLUTTER_LEAVE:
     case CLUTTER_KEY_PRESS:
-- 
2.26.2