aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Michael Weiser <michael.weiser@gmx.de>2021-04-18 23:45:01 +0200
committerLibravatar Simon Ser <contact@emersion.fr>2021-06-24 18:21:29 +0200
commit599874a15811c4fc2baef171135b3061d08ae294 (patch)
treeed45b298299457b5743507a05c33fd39340ea539
parentdesktop/layer_shell: fix centering for opposing anchors (diff)
downloadsway-599874a15811c4fc2baef171135b3061d08ae294.tar.gz
sway-599874a15811c4fc2baef171135b3061d08ae294.tar.zst
sway-599874a15811c4fc2baef171135b3061d08ae294.zip
Prevent use-after-free on first bar subcommand error
If any error is encountered during execution of the first subcommand of a freshly created bar configuration, parsing apparently is to be aborted and the current bar config is freed. The pointer to that memory is left dangling though, leading to a use-after-free on successive bar subcommands. This quite reliably ends in a crash like so: sway -c reproducer.config 00:00:00.083 [sway/config.c:865] Error on line 2 'foo bar': Unknown/invalid command 'foo' (s) free(): double free detected in tcache 2 00:00:00.608 [swaynag/swaynag.c:451] failed to register with the wayland display Aborted (core dumped) Minimal reproducer config: bar { foo bar position top } Other messages: malloc(): unaligned fastbin chunk detected double free or corruption (fasttop) The invalid command has to be the first for a newly created bar config. Removing the command or switching order so it's not the first one masks the problem. Prevent this from occuring by resetting the pointer to NULL after freeing the memory. Signed-off-by: Michael Weiser <michael.weiser@gmx.de> (cherry picked from commit 730efbc89c40a534f5463b5d872ca856fe7cedc4)
-rw-r--r--sway/commands/bar.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/sway/commands/bar.c b/sway/commands/bar.c
index a58f5438..8571d282 100644
--- a/sway/commands/bar.c
+++ b/sway/commands/bar.c
@@ -116,6 +116,7 @@ struct cmd_results *cmd_bar(int argc, char **argv) {
116 if (res && res->status != CMD_SUCCESS) { 116 if (res && res->status != CMD_SUCCESS) {
117 if (id) { 117 if (id) {
118 free_bar_config(config->current_bar); 118 free_bar_config(config->current_bar);
119 config->current_bar = NULL;
119 id = NULL; 120 id = NULL;
120 } 121 }
121 return res; 122 return res;