evas: Replace EINA_LIST_FOREACH_SAFE to while statement.

Clipees can be cleared before the loop is finished because
evas_object_clip_unset calls smart function of clip_unset.
So, if we use EINA_LIST_FOREACH_SAFE, invalid next list pointer
can be kept and read after obj->clip.clipees is freed.

Thanks to Davide Andreoli for reporting.

@fix

diff --git a/src/lib/evas/canvas/evas_object_main.c b/src/lib/evas/canvas/evas_object_main.c
index ff679cb..cc6c59c 100644 (file)
--- a/src/lib/evas/canvas/evas_object_main.c
+++ b/src/lib/evas/canvas/evas_object_main.c
@@ -621,7 +621,6 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED)
    return;
    MAGIC_CHECK_END();
    Evas_Object_Protected_Data *obj = _pd;
-   Evas_Object_Protected_Data *tmp;
    Evas_Object *proxy;
    Eina_List *l, *l2;
 
@@ -654,8 +653,14 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED)
         goto end;
      }
    evas_object_grabs_cleanup(eo_obj, obj);
-   EINA_LIST_FOREACH_SAFE(obj->clip.clipees, l, l2, tmp)
-     evas_object_clip_unset(tmp->object);
+   /* "while" should be used for null check of obj->clip.clipees,
+      because evas_objct_clip_unset can set null to obj->clip.clipees */
+   while (obj->clip.clipees)
+     {
+        Evas_Object_Protected_Data *tmp;
+        tmp = eina_list_data_get(obj->clip.clipees);
+        evas_object_clip_unset(tmp->object);
+     }
    EINA_LIST_FOREACH_SAFE(obj->proxy->proxies, l, l2, proxy)
      {
         if (eo_isa(proxy, EVAS_OBJ_IMAGE_CLASS))