Use-after-free: Group/AModule may stores const Json::Value& that may reference a temporary (dangling reference)

[Mrpaoo]

Platform

• OS (kernel): 6.19.10-arch1-1
• Compiler: gcc 15.2.1 (20260209)
• jsoncpp: 1.9.6-3

Waybar version

• Branch: master
• Commit: 1e965cc (1e965cc Merge pull request feat(client): add support for 8-bit hex color codes in CSS #4960 from keepo-dot/feature/8bit-hex-support)
• Install: built from source
• Build: debug build via target: make build-debug in Makefile of repo

Description

While debugging a scrolling issue mentioned in #4862, I noticed a likely lifetime bug in group creation.

At src/bar.cpp:544 there is code :

          auto group_config = config[ref];
          if (group_config["modules"].isNull()) {
            spdlog::warn("Group definition '{}' has not been found, group will be hidden", ref);
          }
          auto* group_module = new waybar::Group(id_name, class_name, group_config, vertical);

group_config is a local Json::Value (a copy). I know in documentation of jsoncpp,operator[] return the reference,but i dont know why it is still value-copy ,The Group constructor takes const Json::Value& and forwards it to AModule. AModule stores it as a reference member (const Json::Value& config_). This means config_ may end up referencing the stack object group_config, which is destroyed at the end of the block, leaving a dangling reference (use-after-free / undefined behavior). Later, scroll handling code (e.g. AModule::handleScroll -> AModule::getScrollDir(GdkEventScroll* e)) may access config_ and crash.

As I see it, the current fix for this bug only disables the event handler for Group. So I'm raising a question here.

[cebem1nt]

Yup, I tried to fix it, but as you see didn't find the root cause of the problem, thx