From d9f7ccf3aa256a133fa4f2b62d19a473435ae621 Mon Sep 17 00:00:00 2001
From: John Lindgren <john@jlindgren.net>
Date: Fri, 15 Aug 2025 01:29:15 -0400
Subject: [PATCH] menu: fix use-after-free at exit with sub-menu selected

Sequence of events:

- menu_finish() frees the sub-menu first
- the selection.menu of the parent menu is now dangling
- menu_finish() frees the parent menu
- menu_free() calls menu_close_root() on the parent menu
- menu_close_root() tries to close the (freed) sub-menu
- boom

Extending nullify_item_pointing_to_this_menu() avoids the crash.
---
 src/menu/menu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/menu/menu.c b/src/menu/menu.c
index 69527ce0..136d2b44 100644
--- a/src/menu/menu.c
+++ b/src/menu/menu.c
@@ -1027,6 +1027,10 @@ nullify_item_pointing_to_this_menu(struct menu *menu)
 		if (iter->parent == menu) {
 			iter->parent = NULL;
 		}
+
+		if (iter->selection.menu == menu) {
+			iter->selection.menu = NULL;
+		}
 	}
 }