From: John Lindgren <john@jlindgren.net>
Date: Fri, 15 Aug 2025 05:29:15 +0000 (-0400)
Subject: menu: fix use-after-free at exit with sub-menu selected
X-Git-Url: https://git.mdlowis.com/?a=commitdiff_plain;h=d9f7ccf3aa256a133fa4f2b62d19a473435ae621;p=proto%2Flabwc.git

menu: fix use-after-free at exit with sub-menu selected

Sequence of events:

- menu_finish() frees the sub-menu first
- the selection.menu of the parent menu is now dangling
- menu_finish() frees the parent menu
- menu_free() calls menu_close_root() on the parent menu
- menu_close_root() tries to close the (freed) sub-menu
- boom

Extending nullify_item_pointing_to_this_menu() avoids the crash.
---

diff --git a/src/menu/menu.c b/src/menu/menu.c
index 69527ce0..136d2b44 100644
--- a/src/menu/menu.c
+++ b/src/menu/menu.c
@@ -1027,6 +1027,10 @@ nullify_item_pointing_to_this_menu(struct menu *menu)
 		if (iter->parent == menu) {
 			iter->parent = NULL;
 		}
+
+		if (iter->selection.menu == menu) {
+			iter->selection.menu = NULL;
+		}
 	}
 }