woohyun pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=2791c3dc06bc1fc8f4460df9056724102d0c7c66
commit 2791c3dc06bc1fc8f4460df9056724102d0c7c66
Author: WooHyun Jung <wh0705.j...@samsung.com>
Date: Tue Mar 11 16:34:56 2014 +0900
evas: Replace EINA_LIST_FOREACH_SAFE to while statement.
Clipees can be cleared before the loop is finished because
evas_object_clip_unset calls smart function of clip_unset.
So, if we use EINA_LIST_FOREACH_SAFE, invalid next list pointer
can be kept and read after obj->clip.clipees is freed.
Thanks to Davide Andreoli for reporting.
@fix
---
src/lib/evas/canvas/evas_object_main.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/lib/evas/canvas/evas_object_main.c
b/src/lib/evas/canvas/evas_object_main.c
index ff679cb..cc6c59c 100644
--- a/src/lib/evas/canvas/evas_object_main.c
+++ b/src/lib/evas/canvas/evas_object_main.c
@@ -621,7 +621,6 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list
EINA_UNUSED)
return;
MAGIC_CHECK_END();
Evas_Object_Protected_Data *obj = _pd;
- Evas_Object_Protected_Data *tmp;
Evas_Object *proxy;
Eina_List *l, *l2;
@@ -654,8 +653,14 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list
EINA_UNUSED)
goto end;
}
evas_object_grabs_cleanup(eo_obj, obj);
- EINA_LIST_FOREACH_SAFE(obj->clip.clipees, l, l2, tmp)
- evas_object_clip_unset(tmp->object);
+ /* "while" should be used for null check of obj->clip.clipees,
+ because evas_objct_clip_unset can set null to obj->clip.clipees */
+ while (obj->clip.clipees)
+ {
+ Evas_Object_Protected_Data *tmp;
+ tmp = eina_list_data_get(obj->clip.clipees);
+ evas_object_clip_unset(tmp->object);
+ }
EINA_LIST_FOREACH_SAFE(obj->proxy->proxies, l, l2, proxy)
{
if (eo_isa(proxy, EVAS_OBJ_IMAGE_CLASS))
--
