Author: post
Date: 2014-01-05 20:11:42 +0100 (Sun, 05 Jan 2014)
New Revision: 608
Modified:
RawSpeed/RawImage.cpp
Log:
Fix use after free case in RawImage refcounting.
Modified: RawSpeed/RawImage.cpp
===================================================================
--- RawSpeed/RawImage.cpp 2013-11-04 07:36:31 UTC (rev 607)
+++ RawSpeed/RawImage.cpp 2014-01-05 19:11:42 UTC (rev 608)
@@ -275,7 +275,7 @@
{
int height = cropped ? dim.y : uncropped_dim.y;
- int threads = getThreadCount();
+ int threads = getThreadCount();
if (threads <= 1) {
RawImageWorker worker(this, task, 0, height);
worker.performTask();
@@ -394,11 +394,18 @@
if (this == &p) // Same object?
return *this; // Yes, so skip assignment, and just return *this.
pthread_mutex_lock(&p_->mymutex);
+ // Retain the old RawImageData before overwriting it
RawImageData* const old = p_;
p_ = p.p_;
+ // Increment use on new data
++p_->dataRefCount;
- if (--old->dataRefCount == 0) delete old;
- pthread_mutex_unlock(&p_->mymutex);
+ // If the RawImageData previously used by "this" is unused, delete it.
+ if (--old->dataRefCount == 0) {
+ pthread_mutex_unlock(&(old->mymutex));
+ delete old;
+ } else {
+ pthread_mutex_unlock(&(old->mymutex));
+ }
return *this;
}
@@ -427,7 +434,7 @@
}
void RawImageWorker::waitForThread()
-{
+{
void *status;
pthread_join(threadid, &status);
}
_______________________________________________
Rawstudio-commit mailing list
[email protected]
http://rawstudio.org/cgi-bin/mailman/listinfo/rawstudio-commit
