Fix use-after-free when pumping the event loop after SDL_DestroyWindow()
authorCameron Gutman
Sun, 28 Apr 2019 17:37:49 -0700
changeset 12746132a2af7edac
parent 12745 c82ce49419a5
child 12747 cdf53e16feb7
Fix use-after-free when pumping the event loop after SDL_DestroyWindow()

Closing the window is asynchronous, but we free the window data immediately,
so we can get an updateLayer callback before the window is really destroyed which
will cause us to access the freed memory.

Clearing the content view will cause it to be immediately released, so no further
updateLayer callbacks will occur.
src/video/cocoa/SDL_cocoawindow.m
     1.1 --- a/src/video/cocoa/SDL_cocoawindow.m	Mon May 20 14:31:03 2019 -0700
     1.2 +++ b/src/video/cocoa/SDL_cocoawindow.m	Sun Apr 28 17:37:49 2019 -0700
     1.3 @@ -1816,6 +1816,8 @@
     1.4          [data->listener close];
     1.5          [data->listener release];
     1.6          if (data->created) {
     1.7 +            /* Release the content view to avoid further updateLayer callbacks */
     1.8 +            [data->nswindow setContentView:nil];
     1.9              [data->nswindow close];
    1.10          }
    1.11