From 8eb3ecc7556e07ffdb8037504429e9ccc749c0ab Mon Sep 17 00:00:00 2001
From: Vaxry <vaxry@vaxry.net>
Date: Mon, 5 Jan 2026 16:25:46 +0100
Subject: [PATCH] input/TI: avoid UAF in destroy

---
 src/managers/input/TextInput.cpp | 26 ++++++++++++--------------
 src/managers/input/TextInput.hpp |  2 ++
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/managers/input/TextInput.cpp b/src/managers/input/TextInput.cpp
index 40420129..be9a5d29 100644
--- a/src/managers/input/TextInput.cpp
+++ b/src/managers/input/TextInput.cpp
@@ -22,13 +22,7 @@ void CTextInput::initCallbacks() {
         m_listeners.disable = INPUT->m_events.disable.listen([this] { onDisabled(); });
         m_listeners.commit  = INPUT->m_events.onCommit.listen([this] { onCommit(); });
         m_listeners.reset   = INPUT->m_events.reset.listen([this] { onReset(); });
-        m_listeners.destroy = INPUT->m_events.destroy.listen([this] {
-            m_listeners.surfaceUnmap.reset();
-            m_listeners.surfaceDestroy.reset();
-            g_pInputManager->m_relay.removeTextInput(this);
-            if (!g_pInputManager->m_relay.getFocusedTextInput())
-                g_pInputManager->m_relay.deactivateIME(this);
-        });
+        m_listeners.destroy = INPUT->m_events.destroy.listen([this] { destroy(); });
 
         if (Desktop::focusState()->surface() && Desktop::focusState()->surface()->client() == INPUT->client())
             enter(Desktop::focusState()->surface());
@@ -39,16 +33,20 @@ void CTextInput::initCallbacks() {
         m_listeners.disable = INPUT->m_events.disable.listen([this] { onDisabled(); });
         m_listeners.commit  = INPUT->m_events.onCommit.listen([this] { onCommit(); });
         m_listeners.reset   = INPUT->m_events.reset.listen([this] { onReset(); });
-        m_listeners.destroy = INPUT->m_events.destroy.listen([this] {
-            m_listeners.surfaceUnmap.reset();
-            m_listeners.surfaceDestroy.reset();
-            g_pInputManager->m_relay.removeTextInput(this);
-            if (!g_pInputManager->m_relay.getFocusedTextInput())
-                g_pInputManager->m_relay.deactivateIME(this);
-        });
+        m_listeners.destroy = INPUT->m_events.destroy.listen([this] { destroy(); });
     }
 }
 
+void CTextInput::destroy() {
+    m_listeners.surfaceUnmap.reset();
+    m_listeners.surfaceDestroy.reset();
+
+    g_pInputManager->m_relay.removeTextInput(this);
+
+    if (!g_pInputManager->m_relay.getFocusedTextInput())
+        g_pInputManager->m_relay.deactivateIME(nullptr, false);
+}
+
 void CTextInput::onEnabled(SP<CWLSurfaceResource> surfV1) {
     Log::logger->log(Log::DEBUG, "TI ENABLE");
 
diff --git a/src/managers/input/TextInput.hpp b/src/managers/input/TextInput.hpp
index acb38d58..798f31e9 100644
--- a/src/managers/input/TextInput.hpp
+++ b/src/managers/input/TextInput.hpp
@@ -39,6 +39,8 @@ class CTextInput {
     void                   setFocusedSurface(SP<CWLSurfaceResource> pSurface);
     void                   initCallbacks();
 
+    void                   destroy();
+
     WP<CWLSurfaceResource> m_focusedSurface;
     int                    m_enterLocks = 0;
     WP<CTextInputV3>       m_v3Input;