diff options
author | Ryan Dwyer <ryandwyer1@gmail.com> | 2018-07-28 15:19:14 +1000 |
---|---|---|
committer | Ryan Dwyer <ryandwyer1@gmail.com> | 2018-07-28 15:21:39 +1000 |
commit | 073ac425d5bf6f6393eb91d9b5f84e3caa68f511 (patch) | |
tree | 815a384ed1a54f390e46805c1ae0927449b29430 | |
parent | Merge pull request #2369 from mihaicmn/preserve-workspace-name (diff) | |
download | sway-073ac425d5bf6f6393eb91d9b5f84e3caa68f511.tar.gz sway-073ac425d5bf6f6393eb91d9b5f84e3caa68f511.tar.zst sway-073ac425d5bf6f6393eb91d9b5f84e3caa68f511.zip |
Fix use after free in transactions
In set_instructions_ready, calling set_instruction_ready may cause any
number of transactions to get applied, which removes them from the list
being iterated. The iteration variables need to be adjusted
accordingly.
-rw-r--r-- | sway/desktop/transaction.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sway/desktop/transaction.c b/sway/desktop/transaction.c index ee7a0704..0a24c4fc 100644 --- a/sway/desktop/transaction.c +++ b/sway/desktop/transaction.c | |||
@@ -364,7 +364,13 @@ static void set_instructions_ready(struct sway_view *view, int index) { | |||
364 | struct sway_transaction_instruction *instruction = | 364 | struct sway_transaction_instruction *instruction = |
365 | view->swayc->instructions->items[i]; | 365 | view->swayc->instructions->items[i]; |
366 | if (!instruction->ready) { | 366 | if (!instruction->ready) { |
367 | // set_instruction_ready can remove instructions from the list we're | ||
368 | // iterating | ||
369 | size_t length = view->swayc->instructions->length; | ||
367 | set_instruction_ready(instruction); | 370 | set_instruction_ready(instruction); |
371 | size_t num_removed = length - view->swayc->instructions->length; | ||
372 | i -= num_removed; | ||
373 | index -= num_removed; | ||
368 | } | 374 | } |
369 | } | 375 | } |
370 | } | 376 | } |