From 328d5c2a9920bef4c7d444f0764c6bce3cd2c8cb Mon Sep 17 00:00:00 2001
From: Nic Boet <nic@boet.cc>
Date: Sun, 8 Feb 2026 22:37:40 -0600
Subject: [PATCH] fix: move sendFrame inside mutex scope to prevent race
 condition

sendFrame() reads frames[curr_frame_id-1] but was called outside the
mutex scope. The command processor thread (running processCommand via
checkCommandQueue) can modify curr_frame_id or reload the event
(clearing/rebuilding frames) between the mutex unlock and the
sendFrame call, causing out-of-bounds access.

Move sendFrame into the first mutex scope so frames[] access is
protected from concurrent modification by the command thread.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/zm_eventstream.cpp | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/src/zm_eventstream.cpp b/src/zm_eventstream.cpp
index d22cea48b..109ccf1d6 100644
--- a/src/zm_eventstream.cpp
+++ b/src/zm_eventstream.cpp
@@ -1079,22 +1079,18 @@ void EventStream::runStream() {
 
         continue;
       }  // end if !in_event
-    }  // end scope for mutex lock
 
-    if (send_frame) {
-      if (!sendFrame(delta)) {
-        zm_terminate = true;
-        break;
+      if (send_frame) {
+        if (!sendFrame(delta)) {
+          zm_terminate = true;
+          break;
+        }
+        if (send_twice and !sendFrame(delta)) {
+          zm_terminate = true;
+          break;
+        }
+        frame_count++;
       }
-      if (send_twice and !sendFrame(delta)) {
-        zm_terminate = true;
-        break;
-      }
-      frame_count++;
-    }
-
-    {
-      std::scoped_lock lck{mutex};
 
       if (!paused && !event_data->frames.empty()
           && curr_frame_id >= 1 && curr_frame_id <= (int)event_data->frames.size()) {