fix: capturev1 resource destroy callbacks: use deleteLater() to avoid UAF

[felixonmars]

When WClient::destroyed fires (from ~QObject of a WClient being deleted), the connected slots in treeland_capture_{context,session,frame}_v1::setResource call wl_resource_destroy(this->resource). This triggers the wl_resource destructor callback (capture_{context,session,frame}_resource_destroy) which immediately calls 'delete this' — deleting the Qt receiver QObject while Qt's doActivate() is still iterating its WClient::destroyed connection list.

The immediate deletion calls ~QObject() → removeConnection() → c->deref(), which can free the Connection object c that doActivate() currently holds as a raw pointer. On the next loop iteration, c->nextConnectionList.loadRelaxed() reads freed memory, resulting in a UAF crash at QBasicAtomicPointer::loadRelaxed (qobject.cpp:4317):

  doActivate → list->first.loadRelaxed() → c->receiver OK
    → c->receiverThreadData → td (non-null but freed) → td->threadId SIGSEGV

Fix: replace 'delete session/context/frame' with deleteLater() and null out the resource pointer first. This defers the QObject destruction to the next event loop iteration, after doActivate() has finished iterating connections. Also add null guards in the WClient::destroyed slots since resource is now set to nullptr by the callbacks.

Summary by Sourcery

Defer destruction of capture v1 context/session/frame objects on Wayland resource teardown to avoid use-after-free when WClient is destroyed.

Bug Fixes:

• Prevent a use-after-free crash by replacing immediate deletion of capture context/session/frame objects with deferred QObject deletion on Wayland resource destroy callbacks.

Enhancements:

• Null out capture context/session/frame resource pointers before scheduling deferred deletion and guard WClient::destroyed handlers against null resources to avoid double-destroy.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: felixonmars

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR fixes a use-after-free caused by immediate deletion of capturev1 QObject wrappers from Wayland wl_resource destroy callbacks by deferring their destruction with deleteLater(), nulling their wl_resource pointers, and guarding WClient::destroyed handlers against double/destroy-after-free by checking the resource pointer before calling wl_resource_destroy().

Sequence diagram for fixed WClient destruction and capturev1 resource teardown

sequenceDiagram
    actor Client
    participant WClient
    participant QtSignal as QObject_doActivate
    participant CaptureObj as treeland_capture_session_v1
    participant WLRes as wl_resource

    Client ->> WClient: destroy WClient instance
    activate WClient
    WClient ->> QtSignal: emit destroyed
    activate QtSignal
    QtSignal ->> CaptureObj: invoke WClient_destroyed_lambda
    activate CaptureObj
    alt resource is non null
        CaptureObj ->> WLRes: wl_resource_destroy(resource)
        activate WLRes
        WLRes ->> CaptureObj: capture_session_resource_destroy(resource)
        Note over CaptureObj: Q_EMIT beforeDestroy()
        CaptureObj ->> CaptureObj: resource = nullptr
        CaptureObj ->> CaptureObj: deleteLater()
        deactivate WLRes
    else resource is null
        CaptureObj ->> CaptureObj: skip wl_resource_destroy
    end
    deactivate CaptureObj
    QtSignal ->> QtSignal: finish iterating connections
    deactivate QtSignal
    deactivate WClient

    participant QtEventLoop
    QtEventLoop ->> CaptureObj: process pending deleteLater
    CaptureObj ->> CaptureObj: QObject destructor runs

Loading

Class diagram for updated capturev1 objects and resource handling

classDiagram
    class WClient {
    }

    class wl_resource {
    }

    class treeland_capture_context_v1 {
        wl_resource* resource
        +void setResource(wl_client* client, wl_resource* resource)
    }

    class treeland_capture_session_v1 {
        wl_resource* resource
        +void setResource(wl_client* client, wl_resource* resource)
    }

    class treeland_capture_frame_v1 {
        wl_resource* resource
        +void setResource(wl_client* client, wl_resource* resource)
    }

    class QtQObject {
        +void deleteLater()
        +signal destroyed()
    }

    QtQObject <|-- WClient
    QtQObject <|-- treeland_capture_context_v1
    QtQObject <|-- treeland_capture_session_v1
    QtQObject <|-- treeland_capture_frame_v1

    WClient --> treeland_capture_context_v1 : destroyed connection
    WClient --> treeland_capture_session_v1 : destroyed connection
    WClient --> treeland_capture_frame_v1 : destroyed connection

    treeland_capture_context_v1 --> wl_resource : resource
    treeland_capture_session_v1 --> wl_resource : resource
    treeland_capture_frame_v1 --> wl_resource : resource

    class capture_context_resource_destroy {
        +void capture_context_resource_destroy(wl_resource* resource)
    }

    class capture_session_resource_destroy {
        +void capture_session_resource_destroy(wl_resource* resource)
    }

    class capture_frame_resource_destroy {
        +void capture_frame_resource_destroy(wl_resource* resource)
    }

    capture_context_resource_destroy --> treeland_capture_context_v1 : null resource then deleteLater
    capture_session_resource_destroy --> treeland_capture_session_v1 : null resource then deleteLater
    capture_frame_resource_destroy --> treeland_capture_frame_v1 : null resource then deleteLater

    class wl_client {
    }

    class WClient_static {
        +WClient* get(wl_client* client)
    }

    WClient_static ..> WClient : get
    treeland_capture_context_v1 ..> WClient_static : setResource
    treeland_capture_session_v1 ..> WClient_static : setResource
    treeland_capture_frame_v1 ..> WClient_static : setResource

Loading

File-Level Changes

Change	Details	Files
Defer destruction of capture session/context/frame QObjects from wl_resource destroy callbacks and clear their wl_resource pointers to avoid re-entrant deletion and UAF.	Replace direct delete of session/context/frame objects in their respective wl_resource destroy callbacks with deleteLater() to ensure deletion happens after Qt signal delivery completes. Set the resource member to nullptr in each destroy callback before scheduling deletion to avoid subsequent double-destroy attempts via stored wl_resource pointers. Preserve beforeDestroy() emission semantics while changing the lifetime handling of the associated QObject wrappers.	src/modules/capture/impl/capturev1impl.cpp
Make WClient::destroyed hookups robust when triggering wl_resource_destroy() by guarding on the stored resource pointer.	Wrap wl_resource_destroy(this->resource) calls in capture context/session/frame setResource lambdas with a null check on resource to avoid destroying an already-freed wl_resource. Rely on the destroy callbacks’ nulling of the resource pointer to prevent repeated destruction when WClient::destroyed fires after the resource has already been cleaned up.	src/modules/capture/impl/capturev1impl.cpp

Possibly linked issues

• chore: suppress compile warnings #29: The PR fixes a UAF during Wayland resource destruction within Qt signals, matching the crash stacktrace in issue chore: suppress compile warnings #29.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zccrs]

要更新文件的copyright时间