diff options
| author | YaNing Lu <luyaning@uniontech.com> | 2026-03-26 16:38:38 +0800 |
|---|---|---|
| committer | YaNing Lu <luyaning@uniontech.com> | 2026-03-30 08:52:42 +0800 |
| commit | e647f6304d7491fa436047908dc559f5badf613e (patch) | |
| tree | 06caf242e8758efcf3fbedc58908789cf7ac368e | |
| parent | Send wl_registry.global_remove to global's offer list (diff) | |
| download | wayland-main.tar wayland-main.tar.gz wayland-main.tar.bz2 wayland-main.tar.lz wayland-main.tar.xz wayland-main.tar.zst wayland-main.zip | |
for_each_helper caches the entries->data pointer and array size before
iterating. If a compositor calls wl_client_for_each_resource() and the
provided callback triggers the creation of a new client object, the
underlying wl_array may be reallocated via realloc().
When this happens, the cached start pointer becomes dangling. Subsequent
iterations will read from the freed memory block, causing already-destroyed
resources to be destroyed a second time (e.g., leading to a double-free
crash in wl_list_remove()).
Fix this by dynamically re-fetching entries->data and entries->size on
every loop iteration, ensuring the iterator always accesses the valid
live array.
Signed-off-by: YaNing Lu <luyaning@uniontech.com>
| -rw-r--r-- | src/wayland-util.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/wayland-util.c b/src/wayland-util.c index f551867..15e157d 100644 --- a/src/wayland-util.c +++ b/src/wayland-util.c @@ -424,10 +424,12 @@ for_each_helper(struct wl_array *entries, wl_iterator_func_t func, void *data) union map_entry entry, *start; size_t count; - start = (union map_entry *) entries->data; - count = entries->size / sizeof(union map_entry); + for (size_t idx = 0; ; idx++) { + count = entries->size / sizeof(union map_entry); + if (idx >= count) + break; - for (size_t idx = 0; idx < count; idx++) { + start = (union map_entry *) entries->data; entry = start[idx]; if (entry.data && !map_entry_is_free(entry)) { ret = func(map_entry_get_data(entry), data, map_entry_get_flags(entry)); |