projects / platform / upstream / efl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 20671d8)
evas: fix a NULL dereference issue in font.
authorYoungbok Shin <youngb.shin@samsung.com>
Tue, 1 Dec 2015 23:03:27 +0000 (15:03 -0800)
committerCedric BAIL <cedric@osg.samsung.com>
Tue, 1 Dec 2015 23:03:51 +0000 (15:03 -0800)
Summary:
eina_list_remove returns Eina_List pointer.
It could be NULL if the last list item is removed.
And the returned Eina_List pointer could be different from the given list.
So, calling free for fdir->data after fdir's address is changed is dangerous.
@fix

Test Plan: Run expedite or test app with evas_font_path_append() API.

Reviewers: stefan_schmidt, jpeg

Reviewed By: jpeg

Subscribers: stefan, jiin.moon, cedric, jpeg

Differential Revision: https://phab.enlightenment.org/D3392

Signed-off-by: Cedric BAIL <cedric@osg.samsung.com>
src/lib/evas/canvas/evas_font_dir.c patch | blob | history

diff --git a/src/lib/evas/canvas/evas_font_dir.c b/src/lib/evas/canvas/evas_font_dir.c
index dc9ac20..b54e6c0 100644 (file)
--- a/src/lib/evas/canvas/evas_font_dir.c
+++ b/src/lib/evas/canvas/evas_font_dir.c
@@ -1122,7 +1122,7 @@ static Evas_Font_Dir *
 object_text_font_cache_dir_add(char *dir)
 {
    Evas_Font_Dir *fd;
-   char *tmp, *tmp2;
+   char *tmp, *tmp2, *file;
    Eina_List *fdir;
    Evas_Font *fn;
 
@@ -1183,9 +1183,9 @@ object_text_font_cache_dir_add(char *dir)
 
    /* directoy listing */
    fdir = evas_file_path_list(dir, "*.ttf", 0);
-   while (fdir)
+   EINA_LIST_FREE(fdir, file)
      {
-       tmp = evas_file_path_join(dir, fdir->data);
+       tmp = evas_file_path_join(dir, file);
        if (tmp)
          {
             fn = calloc(1, sizeof(Evas_Font));
@@ -1194,12 +1194,12 @@ object_text_font_cache_dir_add(char *dir)
                  char *p;
 
                  fn->type = 0;
-                 tmp2 = alloca(strlen(fdir->data) + 1);
-                 strcpy(tmp2, fdir->data);
+                 tmp2 = alloca(strlen(file) + 1);
+                 strcpy(tmp2, file);
                  p = strrchr(tmp2, '.');
                  if (p) *p = 0;
                  fn->simple.name = eina_stringshare_add(tmp2);
-                 tmp2 = evas_file_path_join(dir, fdir->data);
+                 tmp2 = evas_file_path_join(dir, file);
                  if (tmp2)
                    {
                       fn->path = eina_stringshare_add(tmp2);
@@ -1209,8 +1209,7 @@ object_text_font_cache_dir_add(char *dir)
               }
             free(tmp);
          }
-       fdir = eina_list_remove(fdir, fdir->data);
-       free(fdir->data);
+       free(file);
      }
 
    /* fonts.alias */
Domain: UI Framework / EFL;