From: Jean-Philippe Andre <jp.andre@samsung.com>
Date: Tue, 14 Feb 2017 05:42:33 +0000 (+0900)
Subject: evas: Fix double free in post events
X-Git-Tag: upstream/1.20.0~2025
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=65ae1c812c8fd8893e78c98a35908794b4a3af9a;p=platform%2Fupstream%2Fefl.git

evas: Fix double free in post events

A use of the post event callback in Bryce triggered a double free
as an event was being processed but not yet removed from its list,
leading to an invalid state of the Eina_List.

Also remove obj from struct as it is unused.

Fixes T5157
---

diff --git a/src/lib/evas/canvas/evas_callbacks.c b/src/lib/evas/canvas/evas_callbacks.c
index 84f07ff..2b4e88e 100644
--- a/src/lib/evas/canvas/evas_callbacks.c
+++ b/src/lib/evas/canvas/evas_callbacks.c
@@ -225,6 +225,7 @@ void
 _evas_post_event_callback_call(Evas *eo_e, Evas_Public_Data *e)
 {
    Evas_Post_Callback *pc;
+   Eina_List *l, *l_next;
    int skip = 0;
    static int first_run = 1; // FIXME: This is a workaround to prevent this
                              // function from being called recursively.
@@ -232,8 +233,9 @@ _evas_post_event_callback_call(Evas *eo_e, Evas_Public_Data *e)
    if (e->delete_me || (!first_run)) return;
    _evas_walk(e);
    first_run = 0;
-   EINA_LIST_FREE(e->post_events, pc)
+   EINA_LIST_FOREACH_SAFE(e->post_events, l, l_next, pc)
      {
+        e->post_events = eina_list_remove_list(e->post_events, l);
         if ((!skip) && (!e->delete_me) && (!pc->delete_me))
           {
              if (!pc->func((void*)pc->data, eo_e)) skip = 1;
@@ -577,12 +579,11 @@ evas_post_event_callback_push(Evas *eo_e, Evas_Object_Event_Post_Cb func, const
    Evas_Public_Data *e = efl_data_scope_get(eo_e, EVAS_CANVAS_CLASS);
    Evas_Post_Callback *pc;
 
-   if (!e) return;
+   if (!e || e->delete_me) return;
    EVAS_MEMPOOL_INIT(_mp_pc, "evas_post_callback", Evas_Post_Callback, 64, );
    pc = EVAS_MEMPOOL_ALLOC(_mp_pc, Evas_Post_Callback);
    if (!pc) return;
    EVAS_MEMPOOL_PREP(_mp_pc, pc, Evas_Post_Callback);
-   if (e->delete_me) return;
 
    pc->func = func;
    pc->data = data;
diff --git a/src/lib/evas/include/evas_private.h b/src/lib/evas/include/evas_private.h
index 650f617..7360391 100644
--- a/src/lib/evas/include/evas_private.h
+++ b/src/lib/evas/include/evas_private.h
@@ -785,7 +785,6 @@ struct _Evas_Lock
 
 struct _Evas_Post_Callback
 {
-   Evas_Object               *obj;
    Evas_Object_Event_Post_Cb  func;
    const void                *data;
    unsigned char              delete_me : 1;