]> git.sur5r.net Git - i3/i3/commit
Prevent access of freed workspace in _workspace_show 3078/head
authorOrestis Floros <orestisf1993@gmail.com>
Sat, 9 Dec 2017 20:17:48 +0000 (22:17 +0200)
committerOrestis Floros <orestisf1993@gmail.com>
Sun, 10 Dec 2017 19:37:43 +0000 (21:37 +0200)
commitd134745c4f1717d3ab6c2dc28f55e5c75b983950
tree61576cfdd91073774e444cc62fc09ba9ad73629e
parent9d2d602d6086e66a98389b17b475c092a6c1ac37
Prevent access of freed workspace in _workspace_show

The bug triggers when _workspace_show calls tree_close_internal and
old == old_focus. Ie, when the old workspace was empty and needs to be
closed but then is accessed as output_push_sticky_windows's argument:
Breakpoint 1, output_push_sticky_windows (to_focus=0x55555589c8a0) at ../../i3/src/output.c:102
102                     con_move_to_workspace(current, visible_ws, true, false, current != to_focus->parent);
(gdb) print con_exists(to_focus)
$1 = false

The access violation can also be prevented by checking if
con_exists(old_focus) but it shouldn't be necessary: the old_focus
container can only be killed when it is an empty workspace.

With --enable-sanitizers this causes i3 to exit but with
--disable-sanitizers the access violation doesn't reliably cause a crash
and the con_move_to_workspace call continues with:
(gdb) print current != to_focus->parent
$2 = 1

Since current->type is CT_FLOATING_CON and to_focus->type is
CT_WORKSPACE, in this specific case ignore_focus would always be true.
So, in this case, passing NULL instead of old_focus to
output_push_sticky_windows doesn't change the behaviour of i3.

Fixes #3075.
src/output.c
src/workspace.c
testcases/t/293-sticky-output-crash.t [new file with mode: 0644]