xwayland: Check window pixmap in xwl_present_check_flip2

We can only flip if the window pixmap matches that of the toplevel
window. Doing so regardless could cause the toplevel window pixmap to
get destroyed while it was still referenced by the window, resulting in
use-after-free and likely a crash.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1033
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Roman Gilg <subdiff@gmail.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index a4ecdada4..afcd03187 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -399,10 +399,18 @@ xwl_present_check_flip2(RRCrtcPtr crtc,
                         PresentFlipReason *reason)
 {
     struct xwl_window *xwl_window = xwl_window_from_window(present_window);
+    ScreenPtr screen = pixmap->drawable.pScreen;
 
     if (!xwl_window)
         return FALSE;
 
+    /* Can't flip if the window pixmap doesn't match the xwl_window parent
+     * window's, e.g. because a client redirected this window or one of its
+     * parents.
+     */
+    if (screen->GetWindowPixmap(xwl_window->window) != screen->GetWindowPixmap(present_window))
+        return FALSE;
+
     /*
      * We currently only allow flips of windows, that have the same
      * dimensions as their xwl_window parent window. For the case of