Fix use-after-free when pumping the event loop after SDL_DestroyWindow()

Closing the window is asynchronous, but we free the window data immediately, so we can get an updateLayer callback before the window is really destroyed which will cause us to access the freed memory. Clearing the content view will cause it to be immediately released, so no further updateLayer callbacks will occur.
libsdl-org · Apr 29, 2019 · 9b22028 · 9b22028
1 parent a4e33b9
commit 9b22028
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/video/cocoa/SDL_cocoawindow.m b/src/video/cocoa/SDL_cocoawindow.m
@@ -1816,6 +1816,8 @@ - (BOOL)acceptsFirstMouse:(NSEvent *)theEvent
         [data->listener close];
         [data->listener release];
         if (data->created) {
+            /* Release the content view to avoid further updateLayer callbacks */
+            [data->nswindow setContentView:nil];
             [data->nswindow close];
         }