From 917fdbd59706145ea37eae59a6a47f7b9d1e7ff3 Mon Sep 17 00:00:00 2001 From: Youngbok Shin Date: Tue, 1 Dec 2015 15:03:27 -0800 Subject: [PATCH] evas: fix a NULL dereference issue in font. Summary: eina_list_remove returns Eina_List pointer. It could be NULL if the last list item is removed. And the returned Eina_List pointer could be different from the given list. So, calling free for fdir->data after fdir's address is changed is dangerous. @fix Test Plan: Run expedite or test app with evas_font_path_append() API. Reviewers: stefan_schmidt, jpeg Reviewed By: jpeg Subscribers: stefan, jiin.moon, cedric, jpeg Differential Revision: https://phab.enlightenment.org/D3392 Signed-off-by: Cedric BAIL --- src/lib/evas/canvas/evas_font_dir.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/lib/evas/canvas/evas_font_dir.c b/src/lib/evas/canvas/evas_font_dir.c index dc9ac20..b54e6c0 100644 --- a/src/lib/evas/canvas/evas_font_dir.c +++ b/src/lib/evas/canvas/evas_font_dir.c @@ -1122,7 +1122,7 @@ static Evas_Font_Dir * object_text_font_cache_dir_add(char *dir) { Evas_Font_Dir *fd; - char *tmp, *tmp2; + char *tmp, *tmp2, *file; Eina_List *fdir; Evas_Font *fn; @@ -1183,9 +1183,9 @@ object_text_font_cache_dir_add(char *dir) /* directoy listing */ fdir = evas_file_path_list(dir, "*.ttf", 0); - while (fdir) + EINA_LIST_FREE(fdir, file) { - tmp = evas_file_path_join(dir, fdir->data); + tmp = evas_file_path_join(dir, file); if (tmp) { fn = calloc(1, sizeof(Evas_Font)); @@ -1194,12 +1194,12 @@ object_text_font_cache_dir_add(char *dir) char *p; fn->type = 0; - tmp2 = alloca(strlen(fdir->data) + 1); - strcpy(tmp2, fdir->data); + tmp2 = alloca(strlen(file) + 1); + strcpy(tmp2, file); p = strrchr(tmp2, '.'); if (p) *p = 0; fn->simple.name = eina_stringshare_add(tmp2); - tmp2 = evas_file_path_join(dir, fdir->data); + tmp2 = evas_file_path_join(dir, file); if (tmp2) { fn->path = eina_stringshare_add(tmp2); @@ -1209,8 +1209,7 @@ object_text_font_cache_dir_add(char *dir) } free(tmp); } - fdir = eina_list_remove(fdir, fdir->data); - free(fdir->data); + free(file); } /* fonts.alias */ -- 2.7.4