From 9aaf0fc707aa9c3f9e43925c024b6492a28eb623 Mon Sep 17 00:00:00 2001 From: Yuxuan Shui Date: Thu, 21 Feb 2019 01:40:04 +0000 Subject: [PATCH] Fix a use-after-free paint_preprocess takes head of the window list as an argument. The actual head of the window list might be freed and deleted during processing of fade, but paint_preprocess will keep using the old head of the list, thus uses freed memory. Solution is just don't pass the head as an argument. paint_preprocess will use session_t::list directly. Signed-off-by: Yuxuan Shui --- src/compton.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/compton.c b/src/compton.c index dee812f..95bd8aa 100644 --- a/src/compton.c +++ b/src/compton.c @@ -468,7 +468,7 @@ find_client_win(session_t *ps, xcb_window_t w) { } static win * -paint_preprocess(session_t *ps, win *list, bool *fade_running) { +paint_preprocess(session_t *ps, bool *fade_running) { // XXX need better, more general name for `fade_running`. It really // means if fade is still ongoing after the current frame is rendered win *t = NULL, *next = NULL; @@ -488,7 +488,7 @@ paint_preprocess(session_t *ps, win *list, bool *fade_running) { ps->fade_time += steps * ps->o.fade_delta; // First, let's process fading - for (win *w = list; w; w = next) { + for (win *w = ps->list; w; w = next) { next = w->next; const winmode_t mode_old = w->mode; const bool was_painted = w->to_paint; @@ -539,7 +539,7 @@ paint_preprocess(session_t *ps, win *list, bool *fade_running) { // Trace whether it's the highest window to paint bool is_highest = true; bool reg_ignore_valid = true; - for (win *w = list; w; w = next) { + for (win *w = ps->list; w; w = next) { __label__ skip_window; bool to_paint = true; // w->to_paint remembers whether this window is painted last time @@ -2115,7 +2115,7 @@ _draw_callback(EV_P_ session_t *ps, int revents) { } bool fade_running = false; - win *t = paint_preprocess(ps, ps->list, &fade_running); + win *t = paint_preprocess(ps, &fade_running); ps->tmout_unredir_hit = false; // Start/stop fade timer depends on whether window are fading