Skip to content

config layout stack crashes with buffer overflow when space has >32 windows #2761

New issue
New issue
Open
Open
config layout stack crashes with buffer overflow when space has >32 windows#2761
@jbriales

Description

@jbriales
jbriales
opened on Mar 19, 2026

Description

yabai -m config layout stack silently crashes (segfault) when a space contains more than 32 manageable windows.

Root cause

view_stack_window_node() in src/view.c:730 writes into fixed-size arrays (window_list and window_order) of NODE_MAX_WINDOW_COUNT (32) elements with no bounds check. When window_count exceeds 32, the memmove calls and array writes overflow the buffer, corrupt the window_node struct, and cause a segfault.

How to reproduce

  1. Open 33+ windows on a single space (e.g., Chrome windows)
  2. Run yabai -m config layout stack
  3. yabai crashes silently — no error message, the process just dies

A common scenario: after a macOS restart, Chrome restores all its windows onto a single space. With 40-50+ Chrome windows this reliably triggers the crash.

Suggested fix

  1. Increase NODE_MAX_WINDOW_COUNT (e.g., to 128)
  2. Add a bounds check in view_stack_window_node() to return failure when the limit is reached
  3. Handle the failure in callers (view_add_window_node_with_insertion_point)

Environment

  • macOS 26 Tahoe
  • yabai v7.1.17

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions