Skip to content

wineopenxr: Remove wrapped XrSession from session list on destroy.#9915

Open
ImSapphire wants to merge 2 commits into
ValveSoftware:bleeding-edgefrom
ImSapphire:sapphire/wineopenxr-session-uaf
Open

wineopenxr: Remove wrapped XrSession from session list on destroy.#9915
ImSapphire wants to merge 2 commits into
ValveSoftware:bleeding-edgefrom
ImSapphire:sapphire/wineopenxr-session-uaf

Conversation

@ImSapphire

Copy link
Copy Markdown

This was causing a use-after-free in xrPollEvent if the runtime reuses a previous XrSession handle when the session is destroyed and recreated.

Fixes Prism3D-based games (Euro Truck Simulator 2, American Truck Simulator) never calling xrBeginSession and running the frame loop if the host runtime reuses the XrSession handle when the engine destroys and recreates its session. Previously the game would ignore the XR_TYPE_EVENT_DATA_SESSION_STATE_CHANGED event since the evt->session pointer from the list was incorrect, we would retrieve the old session pointer.

This was causing a use-after-free in xrPollEvent if the runtime
reuses a previous XrSession handle when the session is destroyed and recreated.

Fixes Prism3D-based games (Euro Truck Simulator 2, American Truck Simulator)
never calling xrBeginSession and running the frame loop if the host runtime
reuses the XrSession handle when the engine destroys and recreates its session.
Previously the game would ignore the XR_TYPE_EVENT_DATA_SESSION_STATE_CHANGED
event since the evt->session pointer from the list was incorrect, we would
retrieve the old session pointer.

Signed-off-by: Sapphire <imsapphire0@gmail.com>
@ImSapphire ImSapphire force-pushed the sapphire/wineopenxr-session-uaf branch from 1c28f7d to 62e2231 Compare June 29, 2026 09:52
@Plagman Plagman force-pushed the bleeding-edge branch 5 times, most recently from 6fdfce2 to e3c25b2 Compare June 29, 2026 14:42
@Mr-Zero88

Copy link
Copy Markdown

same fix as this PR: #9485

@Plagman Plagman force-pushed the bleeding-edge branch 17 times, most recently from cfbbd55 to 4b254b5 Compare June 30, 2026 18:52
@Plagman Plagman force-pushed the bleeding-edge branch 12 times, most recently from deab009 to d183798 Compare July 1, 2026 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants