From 1fd21650d731ebed8ab8ebfc9e21526cdf162525 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 13 Apr 2018 14:56:58 +0900 Subject: [PATCH 1/2] seat_set_focus_wrap: fix use-after-free when destroying last focused container --- sway/input/seat.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sway/input/seat.c b/sway/input/seat.c index 467e50875..431460c41 100644 --- a/sway/input/seat.c +++ b/sway/input/seat.c @@ -491,6 +491,9 @@ void seat_set_focus_warp(struct sway_seat *seat, ipc_event_workspace(last_ws, container, "focus"); if (!workspace_is_visible(last_ws) && last_ws->children->length == 0) { + if (last_ws == last_focus) { + last_focus = NULL; + } container_destroy(last_ws); } } From de65d05821d5eaae6525e86363c76aaa395346fb Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 13 Apr 2018 14:57:36 +0900 Subject: [PATCH 2/2] container_destroy: fix segfault cont->children doesn't have to be NULL when there is no children --- sway/tree/container.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sway/tree/container.c b/sway/tree/container.c index ea1c93bb6..c00674939 100644 --- a/sway/tree/container.c +++ b/sway/tree/container.c @@ -104,7 +104,7 @@ static void _container_destroy(struct sway_container *cont) { if (cont->children != NULL && cont->children->length) { // remove children until there are no more, container_destroy calls // container_remove_child, which removes child from this container - while (cont->children != NULL) { + while (cont->children != NULL && cont->children->length > 0) { struct sway_container *child = cont->children->items[0]; container_remove_child(child); _container_destroy(child);