[Elm_Dnd] Fix segmentation fault when deleting object with same registered drop callbacks

Summary:
In case we register two or more of same drop callbacks for one object, when that object is deleted, segmentation fault happens.

Test case: Register only same callbacks more than two times for one object. Delete that object (manual or auto). Segmentation fault happens.
Reason: When object is deleted, we remove all drop callbacks registered with the object. The _all_drops_targets_cbs_del and elm_drop_target_del are used to do that and they operates on the same cbs_list. If elm_drop_target_del remove the current and the next callbacks in cbs_list, the segmentation fault will happen at _all_drops_targets_cbs_del.
Fix: Check and use updated cbs_list.

@fix

Reviewers: JackDanielZ, raster, seoz

Reviewed By: JackDanielZ

CC: woohyun
Differential Revision: https://phab.enlightenment.org/D691

diff --git a/legacy/elementary/src/lib/elm_cnp.c b/legacy/elementary/src/lib/elm_cnp.c
index df107a4..5b88d2f 100644 (file)
--- a/legacy/elementary/src/lib/elm_cnp.c
+++ b/legacy/elementary/src/lib/elm_cnp.c
@@ -208,10 +208,10 @@ _all_drop_targets_cbs_del(void *data EINA_UNUSED, Evas *e EINA_UNUSED, Evas_Obje
    eo_do(obj, eo_base_data_get("__elm_dropable", (void **)&dropable));
    if (dropable)
      {
-        Eina_Inlist *itr;
         Dropable_Cbs *cbs;
-        EINA_INLIST_FOREACH_SAFE(dropable->cbs_list, itr, cbs)
+        while (dropable->cbs_list)
           {
+             cbs = EINA_INLIST_CONTAINER_GET(dropable->cbs_list, Dropable_Cbs);
              elm_drop_target_del(obj, cbs->types,
                    cbs->entercb, cbs->enterdata, cbs->leavecb, cbs->leavedata,
                    cbs->poscb, cbs->posdata, cbs->dropcb, cbs->dropdata);