[mutter] stack: Fix a crasher from a buffer overrun

[Jasper St. Pierre <jstpierre src gnome org>]

commit becce7afa0880d6576e250c8abbcb50c8baa3557
Author: Jasper St. Pierre <jstpierre mecheye net>
Date:   Sat Apr 12 08:08:02 2014 -0700

    stack: Fix a crasher from a buffer overrun
    
    The code that restacks X11 windows at the end first tracks any
    old windows we know about, and then handles any windows created.
    
    It starts when it ended, and then walks forwards and then
    back looking for the first X11 window it doesn't know about.
    However, when there aren't any X11 windows, it flies off the end
    of the array and starts looking through random memory.
    
    When it finds the X11 window, it then goes through and then tries
    to restack the remaining windows according to how we've sorted
    them.
    
    Unfortunately, META_WINDOW_CLIENT_TYPE_X11 is 0, which is quite
    common in random memory we have lying around, so we enter that
    path and then just crash.
    
    Fix the buffer overrun by adding the proper bounds check to the
    search.
    
    You can easily reproduce this by opening a menu while bloatpad
    is full-screen. Why it only crashes when full-screen and not
    when a standard window, I have no idea.

 src/core/stack.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/src/core/stack.c b/src/core/stack.c
index a8d9753..5465310 100644
--- a/src/core/stack.c
+++ b/src/core/stack.c
@@ -1508,7 +1508,7 @@ stack_sync_to_xserver (MetaStack *stack)
           if (x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11)
             {
               for (x_ref = newp;
-                   x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref > new_stack;
+                   x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref < new_end;
                    x_ref++)
                 ;
             }