mirrors/labwc
1
0
Fork 0
mirror of https://github.com/labwc/labwc.git synced 2025-11-03 09:01:51 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

menu: fix UAFs in menu_destroy() and item_destroy()

Browse source 
This fixes use-after-free when there's only 1 desktop and
menu_hide_submenu() is called to delete "Workspaces" submenu in
client-menu before menu scenes are initialized.

As menu_create() and item_create() no longer initialize scenes after
76515316, menu->scene_tree and item->tree should be null-checked.
This commit is contained in:
tokyo4j 2024-11-14 18:16:43 +09:00 committed by Consolatis
parent 22eefa32a2
commit f8ed199197
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/menu/menu.c
View file

@ -437,7 +437,9 @@ item_destroy(struct menuitem *item)
} }
wl_list_remove(&item->link); wl_list_remove(&item->link);
action_list_free(&item->actions); action_list_free(&item->actions);
if (item->tree) {
wlr_scene_node_destroy(&item->tree->node); wlr_scene_node_destroy(&item->tree->node);
}
free(item->execute); free(item->execute);
free(item->id); free(item->id);
free(item->text); free(item->text);
@ -1166,7 +1168,9 @@ menu_free(struct menu *menu)
* Destroying the root node will destroy everything, * Destroying the root node will destroy everything,
* including node descriptors and scaled_font_buffers. * including node descriptors and scaled_font_buffers.
*/ */
if (menu->scene_tree) {
wlr_scene_node_destroy(&menu->scene_tree->node); wlr_scene_node_destroy(&menu->scene_tree->node);
}
wl_list_remove(&menu->link); wl_list_remove(&menu->link);
zfree(menu->id); zfree(menu->id);
zfree(menu->label); zfree(menu->label);