From 9b2202828af4c4b6f083587a25ef6e4b59eb2150 Mon Sep 17 00:00:00 2001 From: Cameron Gutman Date: Sun, 28 Apr 2019 17:37:49 -0700 Subject: [PATCH] Fix use-after-free when pumping the event loop after SDL_DestroyWindow() Closing the window is asynchronous, but we free the window data immediately, so we can get an updateLayer callback before the window is really destroyed which will cause us to access the freed memory. Clearing the content view will cause it to be immediately released, so no further updateLayer callbacks will occur. --- src/video/cocoa/SDL_cocoawindow.m | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/video/cocoa/SDL_cocoawindow.m b/src/video/cocoa/SDL_cocoawindow.m index bdbb010da..29e56ea03 100644 --- a/src/video/cocoa/SDL_cocoawindow.m +++ b/src/video/cocoa/SDL_cocoawindow.m @@ -1816,6 +1816,8 @@ Cocoa_DestroyWindow(_THIS, SDL_Window * window) [data->listener close]; [data->listener release]; if (data->created) { + /* Release the content view to avoid further updateLayer callbacks */ + [data->nswindow setContentView:nil]; [data->nswindow close]; }