[EGIT] [core/efl] master 01/03: evas: Fix double free in post events

Mon, 13 Feb 2017 22:39:13 -0800 

jpeg pushed a commit to branch master.

http://git.enlightenment.org/core/efl.git/commit/?id=65ae1c812c8fd8893e78c98a35908794b4a3af9a

commit 65ae1c812c8fd8893e78c98a35908794b4a3af9a
Author: Jean-Philippe Andre <[email protected]>
Date:   Tue Feb 14 14:42:33 2017 +0900

    evas: Fix double free in post events
    
    A use of the post event callback in Bryce triggered a double free
    as an event was being processed but not yet removed from its list,
    leading to an invalid state of the Eina_List.
    
    Also remove obj from struct as it is unused.
    
    Fixes T5157
---
 src/lib/evas/canvas/evas_callbacks.c | 7 ++++---
 src/lib/evas/include/evas_private.h  | 1 -
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/evas/canvas/evas_callbacks.c 
b/src/lib/evas/canvas/evas_callbacks.c
index 84f07ff..2b4e88e 100644
--- a/src/lib/evas/canvas/evas_callbacks.c
+++ b/src/lib/evas/canvas/evas_callbacks.c
@@ -225,6 +225,7 @@ void
 _evas_post_event_callback_call(Evas *eo_e, Evas_Public_Data *e)
 {
    Evas_Post_Callback *pc;
+   Eina_List *l, *l_next;
    int skip = 0;
    static int first_run = 1; // FIXME: This is a workaround to prevent this
                              // function from being called recursively.
@@ -232,8 +233,9 @@ _evas_post_event_callback_call(Evas *eo_e, Evas_Public_Data 
*e)
    if (e->delete_me || (!first_run)) return;
    _evas_walk(e);
    first_run = 0;
-   EINA_LIST_FREE(e->post_events, pc)
+   EINA_LIST_FOREACH_SAFE(e->post_events, l, l_next, pc)
      {
+        e->post_events = eina_list_remove_list(e->post_events, l);
         if ((!skip) && (!e->delete_me) && (!pc->delete_me))
           {
              if (!pc->func((void*)pc->data, eo_e)) skip = 1;
@@ -577,12 +579,11 @@ evas_post_event_callback_push(Evas *eo_e, 
Evas_Object_Event_Post_Cb func, const
    Evas_Public_Data *e = efl_data_scope_get(eo_e, EVAS_CANVAS_CLASS);
    Evas_Post_Callback *pc;
 
-   if (!e) return;
+   if (!e || e->delete_me) return;
    EVAS_MEMPOOL_INIT(_mp_pc, "evas_post_callback", Evas_Post_Callback, 64, );
    pc = EVAS_MEMPOOL_ALLOC(_mp_pc, Evas_Post_Callback);
    if (!pc) return;
    EVAS_MEMPOOL_PREP(_mp_pc, pc, Evas_Post_Callback);
-   if (e->delete_me) return;
 
    pc->func = func;
    pc->data = data;
diff --git a/src/lib/evas/include/evas_private.h 
b/src/lib/evas/include/evas_private.h
index 650f617..7360391 100644
--- a/src/lib/evas/include/evas_private.h
+++ b/src/lib/evas/include/evas_private.h
@@ -785,7 +785,6 @@ struct _Evas_Lock
 
 struct _Evas_Post_Callback
 {
-   Evas_Object               *obj;
    Evas_Object_Event_Post_Cb  func;
    const void                *data;
    unsigned char              delete_me : 1;

--

Reply via email to