mirrors/wayland
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/wayland.git synced 2026-04-03 07:15:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

util: fix use-after-free in for_each_helper

Browse source 
for_each_helper caches the entries->data pointer and array size before
iterating. If a compositor calls wl_client_for_each_resource() and the
provided callback triggers the creation of a new client object, the
underlying wl_array may be reallocated via realloc().

When this happens, the cached start pointer becomes dangling. Subsequent
iterations will read from the freed memory block, causing already-destroyed
resources to be destroyed a second time (e.g., leading to a double-free
crash in wl_list_remove()).

Fix this by dynamically re-fetching entries->data and entries->size on
every loop iteration, ensuring the iterator always accesses the valid
live array.

Signed-off-by: YaNing Lu <luyaning@uniontech.com>
This commit is contained in:
YaNing Lu 2026-03-26 16:38:38 +08:00
parent 44b26e34e5
commit e647f6304d
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/wayland-util.c
View file

@ -424,10 +424,12 @@ for_each_helper(struct wl_array *entries, wl_iterator_func_t func, void *data)
union map_entry entry, *start; union map_entry entry, *start;
size_t count; size_t count;
start = (union map_entry *) entries->data; for (size_t idx = 0; ; idx++) {
count = entries->size / sizeof(union map_entry); count = entries->size / sizeof(union map_entry);
if (idx >= count)
break;
for (size_t idx = 0; idx < count; idx++) { start = (union map_entry *) entries->data;
entry = start[idx]; entry = start[idx];
if (entry.data && !map_entry_is_free(entry)) { if (entry.data && !map_entry_is_free(entry)) {
ret = func(map_entry_get_data(entry), data, map_entry_get_flags(entry)); ret = func(map_entry_get_data(entry), data, map_entry_get_flags(entry));