commit 073ac425d5bf6f6393eb91d9b5f84e3caa68f511
parent 7ad9d743faa485b35ee5d38224736f445db071d2
Author: Ryan Dwyer <ryandwyer1@gmail.com>
Date: Sat, 28 Jul 2018 15:19:14 +1000
Fix use after free in transactions
In set_instructions_ready, calling set_instruction_ready may cause any
number of transactions to get applied, which removes them from the list
being iterated. The iteration variables need to be adjusted
accordingly.
Diffstat:
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/sway/desktop/transaction.c b/sway/desktop/transaction.c
@@ -364,7 +364,13 @@ static void set_instructions_ready(struct sway_view *view, int index) {
struct sway_transaction_instruction *instruction =
view->swayc->instructions->items[i];
if (!instruction->ready) {
+ // set_instruction_ready can remove instructions from the list we're
+ // iterating
+ size_t length = view->swayc->instructions->length;
set_instruction_ready(instruction);
+ size_t num_removed = length - view->swayc->instructions->length;
+ i -= num_removed;
+ index -= num_removed;
}
}
}
