From 46d0bc1670df988feb6700a994b1b18689e9a0a1 Mon Sep 17 00:00:00 2001 From: Akos Horvath Date: Sat, 30 Dec 2023 14:19:13 +0100 Subject: [PATCH] fix use after free --- src/util.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/util.c b/src/util.c index 334e7cd..70592c8 100644 --- a/src/util.c +++ b/src/util.c @@ -431,7 +431,6 @@ void wm_treenode_remove_node(Wm *wm, TreeNode *root, TreeNode *node) DEBUG_PRINT("%s: other_client was NULL!\n", __func__); TreeNode *sibling_node = wm_treenode_split_get_sibling(node); - wm_treenode_free(node); // wm_nodearray_free(&node->children); @@ -441,9 +440,15 @@ void wm_treenode_remove_node(Wm *wm, TreeNode *root, TreeNode *node) if (parent->parent == NULL) { // parent is root node DEBUG_PRINT("parent is root node!\n"); - sibling_node->parent = NULL; assert(node->type == NODE_CLIENT); - node->client->ws->tree = sibling_node; + + TreeNode old_root = *node->client->ws->tree; + + sibling_node->parent = NULL; + *node->client->ws->tree = *sibling_node; + + wm_nodearray_free(old_root.children); + free(sibling_node); node->client->ws->tree->pos = (Rect) { .x = wm->config.border_width, .y = wm->config.border_width + dock_y , @@ -467,6 +472,8 @@ void wm_treenode_remove_node(Wm *wm, TreeNode *root, TreeNode *node) } assert(node->client->ws->tree->children->size >= 1); + + wm_treenode_free(node); } TreeNode* wm_treenode_split_get_sibling(TreeNode *node) @@ -555,7 +562,7 @@ TreeNode* wm_treenode_remove_client(Wm *wm, TreeNode *root, Client *client) } assert(client->ws->tree->children->size >= 1); - return node->children->nodes[0]; + return client->ws->tree->children->nodes[0]; } NodeArray* wm_nodearray_new() @@ -578,7 +585,7 @@ void wm_nodearray_push(NodeArray *arr, TreeNode *node) arr->size++; if (arr->size >= arr->capacity) { - TreeNode* temp = calloc(arr->capacity, sizeof(TreeNode*)); + TreeNode** temp = calloc(arr->capacity, sizeof(TreeNode*)); assert(temp); memcpy(temp, arr->nodes, arr->capacity * sizeof(TreeNode*)); free(arr->nodes);