url-mode: fix crash when removing duplicate and/or overlapping URLs

Removing overlaping and duplicated URLs is done by running two nested
loops, that both iterate the same URL list.

When a duplicate is found, one of the URLs is destroyed and removed
from the list.

Deleting and removing an item *is* safe, but only as long as _no
other_ iterator has references to it.

In this case, if we remove an item from e.g. the inner iterator, we’ll
crash if the outer iterator’s *next* item is the item being removed.

Closes #627

CHANGELOG.md

@@ -51,6 +51,8 @@
   last column, and `tweak.allow-overflowing-double-width-glyphs=yes`.
 * FD exhaustion when repeatedly entering/exiting URL mode with many
   URLs.
+* Double free of URL while removing duplicated and/or overlapping URLs
+  in URL mode (https://codeberg.org/dnkl/foot/issues/627).
 
 
 ### Security

terminal.h

@@ -264,6 +264,7 @@ struct url {
     enum url_action action;
     bool url_mode_dont_change_url_attr; /* Entering/exiting URL mode doesn’t touch the cells’ attr.url */
     bool osc8;
+    bool duplicate;
 };
 typedef tll(struct url) url_list_t;
 

url-mode.c

@@ -470,16 +470,20 @@ remove_overlapping(url_list_t *urls, int cols)
                  */
                 xassert(in->osc8 || out->osc8);
 
-                if (in->osc8) {
+                if (in->osc8)
-                    url_destroy(&outer->item);
+                    outer->item.duplicate = true;
-                    tll_remove(*urls, outer);
+                else
-                } else {
+                    inner->item.duplicate = true;
-                    url_destroy(&inner->item);
-                    tll_remove(*urls, inner);
-                }
             }
         }
     }
+
+    tll_foreach(*urls, it) {
+        if (it->item.duplicate) {
+            url_destroy(&it->item);
+            tll_remove(*urls, it);
+        }
+    }
 }
 
 void