mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2026-02-04 04:06:18 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

tiling_resize: fix use-after-free on view unmap during resize

Browse source 
Closing a tiled window (mod+shift+q) while resizing (mod+click) causes
an use-after-free in handle_unref.

Both conditions can be true in this case, which will result in
dereferencing `e` on the second check after it has already been freed by
the first `seatop_begin_default`.

Fix by combining separate checks for the main container and its
horizontal/vertical siblings into a single condition.

The second check was added in 9e272a7986
and I've checked that this fix does not regress that issue.
This commit is contained in:
llyyr 2025-12-18 23:02:32 +05:30 committed by Kenny Levinsen
parent fa81ce8ee6
commit 238f0d4a8b
1 changed files with 1 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
sway/input/seatop_resize_tiling.c
View file

@ -105,10 +105,7 @@ static void handle_pointer_motion(struct sway_seat *seat, uint32_t time_msec) {
static void handle_unref(struct sway_seat *seat, struct sway_container *con) {
struct seatop_resize_tiling_event *e = seat->seatop_data;
if (e->con == con) {
seatop_begin_default(seat);
}
if (e->h_sib == con || e->v_sib == con) {
if (e->con == con || e->h_sib == con || e->v_sib == con) {
seatop_begin_default(seat);
}
}