From 073ac425d5bf6f6393eb91d9b5f84e3caa68f511 Mon Sep 17 00:00:00 2001
From: Ryan Dwyer <ryandwyer1@gmail.com>
Date: Sat, 28 Jul 2018 15:19:14 +1000
Subject: Fix use after free in transactions

In set_instructions_ready, calling set_instruction_ready may cause any
number of transactions to get applied, which removes them from the list
being iterated.  The iteration variables need to be adjusted
accordingly.
---
 sway/desktop/transaction.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sway/desktop/transaction.c b/sway/desktop/transaction.c
index ee7a0704..0a24c4fc 100644
--- a/sway/desktop/transaction.c
+++ b/sway/desktop/transaction.c
@@ -364,7 +364,13 @@ static void set_instructions_ready(struct sway_view *view, int index) {
 		struct sway_transaction_instruction *instruction =
 			view->swayc->instructions->items[i];
 		if (!instruction->ready) {
+			// set_instruction_ready can remove instructions from the list we're
+			// iterating
+			size_t length = view->swayc->instructions->length;
 			set_instruction_ready(instruction);
+			size_t num_removed = length - view->swayc->instructions->length;
+			i -= num_removed;
+			index -= num_removed;
 		}
 	}
 }
-- 
cgit v1.2.3-54-g00ecf