From c5b98e18a14b6ff4d0995eac741bf43038b0bcc5 Mon Sep 17 00:00:00 2001 From: Shinwoo Kim Date: Thu, 14 Jan 2021 13:47:06 +0900 Subject: [PATCH] gl: remove invalid read and write Summary: There could be 2 evas_gl_image referencing 1 evas_gl_texture. evas_object_image_orient_set could make this case. In this case, when one evas_gl_image is removed(free), the evas_gl_texture is not removed because its reference count. After this point, if the other evas_gl_image is removed without drawing (see function evas_gl_common_image_draw, line "im->tex->im = im") then evas_gl_texture is reading invalid adress when it is removed. Reviewers: Hermet, jsuya, herb, devilhorns Reviewed By: devilhorns Subscribers: devilhorns, cedric, #reviewers, #committers Tags: #efl Differential Revision: https://phab.enlightenment.org/D12229 Change-Id: I6e7dc894ab314a45ddaadeba709ea2b35360b43a --- src/modules/evas/engines/gl_common/evas_gl_common.h | 2 +- src/modules/evas/engines/gl_common/evas_gl_image.c | 10 +++++++++- src/modules/evas/engines/gl_common/evas_gl_texture.c | 7 ++++--- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/modules/evas/engines/gl_common/evas_gl_common.h b/src/modules/evas/engines/gl_common/evas_gl_common.h index f565ecc..256d03e 100755 --- a/src/modules/evas/engines/gl_common/evas_gl_common.h +++ b/src/modules/evas/engines/gl_common/evas_gl_common.h @@ -769,7 +769,7 @@ Evas_GL_Texture *evas_gl_common_texture_render_noscale_new(Evas_Engine_GL_Conte Evas_GL_Texture *evas_gl_common_texture_dynamic_new(Evas_Engine_GL_Context *gc, Evas_GL_Image *im); void evas_gl_common_texture_update(Evas_GL_Texture *tex, RGBA_Image *im); void evas_gl_common_texture_upload(Evas_GL_Texture *tex, RGBA_Image *im, unsigned int bytes_count); -void evas_gl_common_texture_free(Evas_GL_Texture *tex, Eina_Bool force); +Eina_Bool evas_gl_common_texture_free(Evas_GL_Texture *tex, Eina_Bool force); Evas_GL_Texture *evas_gl_common_texture_alpha_new(Evas_Engine_GL_Context *gc, DATA8 *pixels, unsigned int w, unsigned int h, int fh); void evas_gl_common_texture_alpha_update(Evas_GL_Texture *tex, DATA8 *pixels, unsigned int w, unsigned int h, int fh); Evas_GL_Texture *evas_gl_common_texture_yuv_new(Evas_Engine_GL_Context *gc, DATA8 **rows, unsigned int w, unsigned int h); diff --git a/src/modules/evas/engines/gl_common/evas_gl_image.c b/src/modules/evas/engines/gl_common/evas_gl_image.c index c6dbec1..831e260 100755 --- a/src/modules/evas/engines/gl_common/evas_gl_image.c +++ b/src/modules/evas/engines/gl_common/evas_gl_image.c @@ -723,7 +723,15 @@ evas_gl_common_image_free(Evas_GL_Image *im) { if (_evas_gl_image_cache_add(im)) return; } - if (im->tex) evas_gl_common_texture_free(im->tex, EINA_TRUE); + if (im->tex) + { + if (!evas_gl_common_texture_free(im->tex, EINA_TRUE)) + { + /* if texture is not freed, we need to assign im to NULL + because after this point im will be freed */ + im->tex->im = NULL; + } + } if (im->im) evas_cache_image_drop(&im->im->cache_entry); diff --git a/src/modules/evas/engines/gl_common/evas_gl_texture.c b/src/modules/evas/engines/gl_common/evas_gl_texture.c index f241846..0c86652 100755 --- a/src/modules/evas/engines/gl_common/evas_gl_texture.c +++ b/src/modules/evas/engines/gl_common/evas_gl_texture.c @@ -1721,10 +1721,10 @@ evas_gl_common_texture_update(Evas_GL_Texture *tex, RGBA_Image *im) im->cache_entry.flags.textured = 1; } -void +Eina_Bool evas_gl_common_texture_free(Evas_GL_Texture *tex, Eina_Bool force) { - if (!tex) return; + if (!tex) return EINA_FALSE; if (force) { evas_gl_preload_pop(tex); @@ -1733,7 +1733,7 @@ evas_gl_common_texture_free(Evas_GL_Texture *tex, Eina_Bool force) evas_gl_preload_target_unregister(tex, eina_list_data_get(tex->targets)); } tex->references--; - if (tex->references != 0) return; + if (tex->references != 0) return EINA_FALSE; // TIZEN ONLY (20180823): Use PIO for Paletted png if(tex->has_palette) @@ -1796,6 +1796,7 @@ evas_gl_common_texture_free(Evas_GL_Texture *tex, Eina_Bool force) } evas_gl_common_texture_light_free(tex); + return EINA_TRUE; } Evas_GL_Texture * -- 2.7.4