Function dfb_input_remove_device calls fusion_reactor_dispatch, which
frees resources pointed by "device" pointer. After that "device" is
still used in following calls: fusion_ref_zero_trylock,
fusion_ref_unlock and fusion_ref_destroy.
If freed area is overwritten (by another allocation) before mentioned
calls then it might end with:
- segmentation faults in case of release build,
- MAGIC asserts in fusion in case of debug builds.
Patch replaces "device" variable with "shared".
Lukasz
--- ./src/core/input.c.old 2012-06-29 18:00:26.000000000 +0200
+++ ./src/core/input.c 2012-07-17 11:19:22.015748625 +0200
@@ -1817,13 +1817,15 @@ dfb_input_remove_device(int device_index
/* Send the hot-plug out message */
#if FUSION_BUILD_MULTI
+ /* do not use "device" after dispatch call, since dispatch calls
+ local_processing_hotplug, which frees memory pointed by "device" */
fusion_reactor_dispatch( core_input->reactor, &message, true, NULL);
int loop = CHECK_NUMBER;
while (--loop) {
- if (fusion_ref_zero_trylock( &device->shared->ref ) == DR_OK) {
- fusion_ref_unlock(&device->shared->ref);
+ if (fusion_ref_zero_trylock( &shared->ref ) == DR_OK) {
+ fusion_ref_unlock(&shared->ref);
break;
}
@@ -1833,7 +1835,7 @@ dfb_input_remove_device(int device_index
if (!loop)
D_DEBUG_AT(Core_Input, "Shared device might be connected to by others\n");
- fusion_ref_destroy(&device->shared->ref);
+ fusion_ref_destroy(&shared->ref);
#else
local_processing_hotplug((const void*) &message, (void*) device->core);
#endif
_______________________________________________
directfb-dev mailing list
directfb-dev@directfb.org
http://mail.directfb.org/cgi-bin/mailman/listinfo/directfb-dev
