From 5b6b582cb82777cde948aaf0b2e82e9995413d05 Mon Sep 17 00:00:00 2001
From: Konst Mayer <cdlscpmv@gmail.com>
Date: Sat, 6 May 2023 19:01:01 +0700
Subject: Prevent use-after-free

g_slist_delete_link() frees the `lc` element, so we must not access
it using `lc->next` after that.
---
 src/autocmd.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/autocmd.c b/src/autocmd.c
index 2127d8e..f3a1875 100644
--- a/src/autocmd.c
+++ b/src/autocmd.c
@@ -192,12 +192,15 @@ gboolean autocmd_add(Client *c, char *name, gboolean delete)
 
     /* delete the autocmd if bang was given */
     if (delete) {
-        GSList *lc;
+        GSList *lc, *next;
         AutoCmd *cmd;
         gboolean removed = false;
 
         /* check if the group does already exists */
-        for (lc = grp->cmds; lc; lc = lc->next) {
+        for (lc = grp->cmds; lc; lc = next) {
+            /* Save the next element in case this element is removed */
+            next = lc->next;
+
             cmd = (AutoCmd*)lc->data;
             /* if not bits match - skip the command */
             if (!(cmd->bits & bits)) {
-- 
cgit v1.2.3