Fix use after free

To fix heap-use-after-free issue, this patch adds a mutex for critical section.

Change-Id: Idf1c9cdefc0c9c683747104a5ee70f3af8ab8b0e
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>

diff --git a/src/tizen-core/source.cc b/src/tizen-core/source.cc
index 4b3beac6576bfd6fd2caf7682a4c3382dc4a026c..df1d659802424a0baf3c139aaa5814bd7cb80917 100644 (file)
--- a/src/tizen-core/source.cc
+++ b/src/tizen-core/source.cc
@@ -129,16 +129,24 @@ bool Source::IsAttached() const { return attached_; }
 
 GSource* Source::GetHandle() const { return handle_; }
 
-void Source::RefSelf() { if (!self_) self_ = shared_from_this(); }
+void Source::RefSelf() {
+  std::lock_guard<std::recursive_mutex> lock(GetMutex());
+  if (!self_) self_ = shared_from_this();
+}
 
-void Source::UnrefSelf() { self_.reset(); }
+void Source::UnrefSelf() {
+  std::lock_guard<std::recursive_mutex> lock(GetMutex());
+  self_.reset();
+}
 
 void Source::SetPriority(int priority) {
   g_source_set_priority(handle_, priority);
 }
 
+std::recursive_mutex& Source::GetMutex() const { return mutex_; }
+
 // LCOV_EXCL_START
-bool Source::OnSourcePrepare(int* timeout) { return false; }
+bool Source::OnSourcePrepare(int* timeout) {return false; }
 
 bool Source::OnSourceCheck() { return false; }
 
@@ -151,6 +159,7 @@ gboolean Source::SourcePrepareFunc(GSource* gsource, gint* timeout) {
   if (source == nullptr)
     return FALSE;
 
+  std::lock_guard<std::recursive_mutex> lock(source->GetMutex());
   return source->OnSourcePrepare(timeout);
 }
 
@@ -159,6 +168,7 @@ gboolean Source::SourceCheckFunc(GSource* gsource) {
   if (source == nullptr)
     return FALSE;
 
+  std::lock_guard<std::recursive_mutex> lock(source->GetMutex());
   return source->OnSourceCheck();
 }
 
@@ -168,6 +178,7 @@ gboolean Source::SourceDispatchFunc(GSource* gsource, GSourceFunc callback,
   if (source == nullptr)
     return FALSE;
 
+  std::lock_guard<std::recursive_mutex> lock(source->GetMutex());
   return source->OnSourceDispatch();
 }
 
@@ -176,6 +187,7 @@ void Source::SourceFinalizeFunc(GSource* gsource) {
   if (source == nullptr)
     return;
 
+  std::lock_guard<std::recursive_mutex> lock(source->GetMutex());
   source->OnSourceFinalize();
 }
 // LCOV_EXCL_STOP

diff --git a/src/tizen-core/source.h b/src/tizen-core/source.h
index 7dd0b18639c21e0d673503f94be49683d75960e7..54e7ac1eb3835c6854cec2be93c6b68e561d5ae5 100644 (file)
--- a/src/tizen-core/source.h
+++ b/src/tizen-core/source.h
@@ -21,6 +21,7 @@
 
 #include <list>
 #include <memory>
+#include <mutex>
 
 #include "tizen-core/context.h"
 #include "tizen-core/interface_source.h"
@@ -58,12 +59,14 @@ class EXPORT_API Source : public ISource,
   static gboolean SourceDispatchFunc(GSource* gsource, GSourceFunc callback,
                                      gpointer user_data);
   static void SourceFinalizeFunc(GSource* gsource);
+  std::recursive_mutex& GetMutex() const;
 
  private:
   GSource* handle_ = nullptr;
   bool attached_ = false;
   std::shared_ptr<Source> self_;
   std::list<std::shared_ptr<PollFd>> poll_fds_;
+  mutable std::recursive_mutex mutex_;
 };
 
 }  // namespace tizen_core