From: tokyo4j <hrak1529@gmail.com>
Date: Sun, 5 May 2024 09:41:10 +0000 (+0900)
Subject: menu: reset parser state in `menu_finish()`
X-Git-Url: https://git.mdlowis.com/?a=commitdiff_plain;h=95dc4ac4b5221c06113137aeeeb366c69627cb8e;p=proto%2Flabwc.git

menu: reset parser state in `menu_finish()`

This fixes use-after-free in `fill_item()` on Reconfigure with
invalid `menu.xml` like below:

<openbox_menu>
  <menu id="root-menu">
    <item id="rofi-run" label="Run command">
      <action name="Execute" command="rofi-run" />
    </item>
  </menu>
</openbox_menu>
---

diff --git a/src/menu/menu.c b/src/menu/menu.c
index 84b86793..064c803b 100644
--- a/src/menu/menu.c
+++ b/src/menu/menu.c
@@ -960,6 +960,11 @@ void
 menu_finish(struct server *server)
 {
 	menu_free_from(server, NULL);
+
+	/* Reset state vars for starting fresh when Reload is triggered */
+	current_item = NULL;
+	current_item_action = NULL;
+	current_menu = NULL;
 }
 
 /* Sets selection (or clears selection if passing NULL) */