mirrors/labwc
1
0
Fork 0
mirror of https://github.com/labwc/labwc.git synced 2025-11-04 13:30:07 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

menu: fix use-after-free at exit with sub-menu selected

Browse source 
Sequence of events:

- menu_finish() frees the sub-menu first
- the selection.menu of the parent menu is now dangling
- menu_finish() frees the parent menu
- menu_free() calls menu_close_root() on the parent menu
- menu_close_root() tries to close the (freed) sub-menu
- boom

Extending nullify_item_pointing_to_this_menu() avoids the crash.
This commit is contained in:
John Lindgren 2025-08-15 01:29:15 -04:00 committed by Hiroaki Yamamoto
parent 6e949e623a
commit d9f7ccf3aa
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/menu/menu.c
View file

@ -1027,6 +1027,10 @@ nullify_item_pointing_to_this_menu(struct menu *menu)
if (iter->parent == menu) { if (iter->parent == menu) {
iter->parent = NULL; iter->parent = NULL;
} }
if (iter->selection.menu == menu) {
iter->selection.menu = NULL;
}
} }
} }