util: fix use-after-free in for_each_helper - wayland

diff options

author	YaNing Lu <luyaning@uniontech.com>	2026-03-26 16:38:38 +0800
committer	YaNing Lu <luyaning@uniontech.com>	2026-03-30 08:52:42 +0800
commit	e647f6304d7491fa436047908dc559f5badf613e (patch)
tree	06caf242e8758efcf3fbedc58908789cf7ac368e /compositor
parent	Send wl_registry.global_remove to global's offer list (diff)
download	wayland-main.tar wayland-main.tar.gz wayland-main.tar.bz2 wayland-main.tar.lz wayland-main.tar.xz wayland-main.tar.zst wayland-main.zip

util: fix use-after-free in for_each_helperHEAD main

for_each_helper caches the entries->data pointer and array size before iterating. If a compositor calls wl_client_for_each_resource() and the provided callback triggers the creation of a new client object, the underlying wl_array may be reallocated via realloc(). When this happens, the cached start pointer becomes dangling. Subsequent iterations will read from the freed memory block, causing already-destroyed resources to be destroyed a second time (e.g., leading to a double-free crash in wl_list_remove()). Fix this by dynamically re-fetching entries->data and entries->size on every loop iteration, ensuring the iterator always accesses the valid live array. Signed-off-by: YaNing Lu <luyaning@uniontech.com>

Diffstat (limited to 'compositor')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: