summaryrefslogtreecommitdiff
path: root/gui
diff options
context:
space:
mode:
authorWerner Almesberger <werner@almesberger.net>2016-08-20 20:39:08 -0300
committerWerner Almesberger <werner@almesberger.net>2016-08-20 20:39:08 -0300
commitb857d7dc32a12d8a1703110177d44289b8773fa7 (patch)
tree7c00e621270cae5b7b8cad8ec267f273be25965f /gui
parent1dc049786ea10a5629d79b278220ea923f74e422 (diff)
downloadeeshow-b857d7dc32a12d8a1703110177d44289b8773fa7.tar.gz
eeshow-b857d7dc32a12d8a1703110177d44289b8773fa7.tar.bz2
eeshow-b857d7dc32a12d8a1703110177d44289b8773fa7.zip
eeshow/gui/ (aoi_hover): could cause an access after free
Diffstat (limited to 'gui')
-rw-r--r--gui/aoi.c17
-rw-r--r--gui/aoi.h2
-rw-r--r--gui/history.c2
-rw-r--r--gui/sheet.c4
4 files changed, 17 insertions, 8 deletions
diff --git a/gui/aoi.c b/gui/aoi.c
index c8aba52..0d71948 100644
--- a/gui/aoi.c
+++ b/gui/aoi.c
@@ -57,7 +57,15 @@ static bool in_aoi(const struct aoi *aoi, int x, int y)
}
-bool aoi_hover(const struct aoi *aois, int x, int y)
+/*
+ * We need a pointer to the anchor of the AoI list here because dehovering may
+ * delete the AoI *aois points to.
+ *
+ * We could just check if hovering == *aois, but that seems risky, because
+ * hover(..., 0) may destroy more than just the AoI being dehovered.
+ */
+
+bool aoi_hover(struct aoi *const *aois, int x, int y)
{
const struct aoi *aoi;
@@ -68,7 +76,7 @@ bool aoi_hover(const struct aoi *aois, int x, int y)
hovering = NULL;
}
- for (aoi = aois; aoi; aoi = aoi->next)
+ for (aoi = *aois; aoi; aoi = aoi->next)
if (aoi->hover && in_aoi(aoi, x, y) &&
aoi->hover(aoi->user, 1)) {
hovering = aoi;
@@ -118,12 +126,14 @@ void aoi_set_related(struct aoi *aoi, const struct aoi *related)
void aoi_remove(struct aoi **aois, const struct aoi *aoi)
{
+ assert(aoi);
if (hovering == aoi) {
aoi->hover(aoi->user, 0);
hovering = NULL;
}
- while (*aois != aoi)
+ while (*aois && *aois != aoi)
aois = &(*aois)->next;
+ assert(*aois);
*aois = aoi->next;
free((void *) aoi);
}
@@ -135,4 +145,3 @@ void aoi_dehover(void)
hovering->hover(hovering->user, 0);
hovering = NULL;
}
-
diff --git a/gui/aoi.h b/gui/aoi.h
index 935f526..da2955b 100644
--- a/gui/aoi.h
+++ b/gui/aoi.h
@@ -32,7 +32,7 @@ struct aoi {
struct aoi *aoi_add(struct aoi **aois, const struct aoi *cfg);
void aoi_update(struct aoi *aoi, const struct aoi *cfg);
-bool aoi_hover(const struct aoi *aois, int x, int y);
+bool aoi_hover(struct aoi *const *aois, int x, int y);
bool aoi_click(const struct aoi *aois, int x, int y);
diff --git a/gui/history.c b/gui/history.c
index 97b1759..2425765 100644
--- a/gui/history.c
+++ b/gui/history.c
@@ -217,7 +217,7 @@ static bool history_hover_update(void *user, int x, int y)
{
struct gui_ctx *ctx = user;
- return aoi_hover(ctx->aois, x, y);
+ return aoi_hover(&ctx->aois, x, y);
}
diff --git a/gui/sheet.c b/gui/sheet.c
index 570315a..d1ec01c 100644
--- a/gui/sheet.c
+++ b/gui/sheet.c
@@ -419,9 +419,9 @@ static bool sheet_hover_update(void *user, int x, int y)
curr_sheet = find_corresponding_sheet(ctx->old_hist->sheets,
ctx->new_hist->sheets, ctx->curr_sheet);
- if (aoi_hover(ctx->aois, x, y))
+ if (aoi_hover(&ctx->aois, x, y))
return 1;
- return aoi_hover(curr_sheet->aois,
+ return aoi_hover(&curr_sheet->aois,
ex + curr_sheet->xmin, ey + curr_sheet->ymin);
}