From f8ed199197dd68de3267f5c1429b481f60f4ef72 Mon Sep 17 00:00:00 2001 From: tokyo4j Date: Thu, 14 Nov 2024 18:16:43 +0900 Subject: [PATCH] menu: fix UAFs in menu_destroy() and item_destroy() This fixes use-after-free when there's only 1 desktop and menu_hide_submenu() is called to delete "Workspaces" submenu in client-menu before menu scenes are initialized. As menu_create() and item_create() no longer initialize scenes after 76515316, menu->scene_tree and item->tree should be null-checked. --- src/menu/menu.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/menu/menu.c b/src/menu/menu.c index 92c4d25d..ff3f4218 100644 --- a/src/menu/menu.c +++ b/src/menu/menu.c @@ -437,7 +437,9 @@ item_destroy(struct menuitem *item) } wl_list_remove(&item->link); action_list_free(&item->actions); - wlr_scene_node_destroy(&item->tree->node); + if (item->tree) { + wlr_scene_node_destroy(&item->tree->node); + } free(item->execute); free(item->id); free(item->text); @@ -1166,7 +1168,9 @@ menu_free(struct menu *menu) * Destroying the root node will destroy everything, * including node descriptors and scaled_font_buffers. */ - wlr_scene_node_destroy(&menu->scene_tree->node); + if (menu->scene_tree) { + wlr_scene_node_destroy(&menu->scene_tree->node); + } wl_list_remove(&menu->link); zfree(menu->id); zfree(menu->label);