From e647f6304d7491fa436047908dc559f5badf613e Mon Sep 17 00:00:00 2001 From: YaNing Lu Date: Thu, 26 Mar 2026 16:38:38 +0800 Subject: [PATCH] util: fix use-after-free in for_each_helper for_each_helper caches the entries->data pointer and array size before iterating. If a compositor calls wl_client_for_each_resource() and the provided callback triggers the creation of a new client object, the underlying wl_array may be reallocated via realloc(). When this happens, the cached start pointer becomes dangling. Subsequent iterations will read from the freed memory block, causing already-destroyed resources to be destroyed a second time (e.g., leading to a double-free crash in wl_list_remove()). Fix this by dynamically re-fetching entries->data and entries->size on every loop iteration, ensuring the iterator always accesses the valid live array. Signed-off-by: YaNing Lu --- src/wayland-util.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/wayland-util.c b/src/wayland-util.c index f5518676..15e157d7 100644 --- a/src/wayland-util.c +++ b/src/wayland-util.c @@ -424,10 +424,12 @@ for_each_helper(struct wl_array *entries, wl_iterator_func_t func, void *data) union map_entry entry, *start; size_t count; - start = (union map_entry *) entries->data; - count = entries->size / sizeof(union map_entry); + for (size_t idx = 0; ; idx++) { + count = entries->size / sizeof(union map_entry); + if (idx >= count) + break; - for (size_t idx = 0; idx < count; idx++) { + start = (union map_entry *) entries->data; entry = start[idx]; if (entry.data && !map_entry_is_free(entry)) { ret = func(map_entry_get_data(entry), data, map_entry_get_flags(entry));